By: Andrew Bartholomew
Data protection regulations and privacy laws in the European Union (EU) differ greatly from those in the United Sates. These differences significantly impact e-discovery processes, especially for multinational companies seeking to collect data from employees in foreign jurisdictions, such as the EU. Data privacy protections in Europe were formalized in 1995 with the EU Data Protection Directive. It was created to help ensure the secure and free movement of personal data across the national borders of EU member countries. The directive includes a broad range of provisions, such as:
- An individual has the right to know that the collection of personal data will exist. The personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”
- An individual has the right to choose not to have the personal data collected.
- An individual has the right to know the extent to which the personal data will be protected. Moreover, organizations must “implement appropriate technical and organizational measures to protect personal data.”
Recognizing the need to update and bolster the nearly 15-year-old directive, the European Commission adopted the new EU Data Protection Regulation in January of this year to address emerging privacy issues and to create greater uniformity of data protection efforts among member states.
Attorneys Jim Daley and Ken Rashbaum discussed the new regulation last week on Exterro’s webcast, “Vie Privée, Privacidad, Privatsphäre, Privacy: EU Privacy Updates and Other Developments.” Unlike the EU Data Protection Directive, which established a framework for member states to pass their own legislation, the EU Data Protection Regulation is legally binding and will standardize existing data privacy laws across the 27 EU countries. “Under the new scheme, there will be one regulation that will apply to all of Europe,” Daley explained during the webcast. “From the standpoint it will be helpful; having a one-stop shop in terms of getting a ruling on whether something can be processed or whether it can be transferred.”
According to both speakers, the regulation, in its current form, will likely undergo significant revisions as it makes its way through a formal approval process. During the webcast, Daley and Rashbaum explored some of the key provisions that are likely to be incorporated into the final version, including:
- Companies with 250 or more employees worldwide will be required to have a data protection officer
- “Privacy by Design” will require companies to incorporate privacy protections into the actual design of certain technologies
- The establishment of a Cloud “safe harbor,” will provide a specific set of data privacy rules for cloud providers that do business in Europe
- Standardized data protection violations will result in fines up to 2% of a company’s global annual income
- Notification of data security breaches will be reported to regulators and persons
- Simplified procedures for transferring personal data outside of Europe will be established
The regulation must be ratified by the European Council and the European Parliament, a process that is expected to take 2 to 3 years. To learn more about the European Data Protection Regulation and other cross-border e-discovery issues, watch a full replay of Exterro’s most recent EU/Data Privacy webcast here.