News & Resources

Publications & Media

“Rules and regulations ‘across the pond’ that may force dramatic changes”

Safe and Sound By Heather L. Buchta

Here’s the good news about European data-security laws: The European Union has had a consistent, centralized legal regime in place for nearly 20 years.

The bad news: that may be about to change.

The EU’s Data Protection Directive, in force since 1995, provides a comprehensive data-security framework for member nations. It sets up guiding principles and then tasks each country with enforcing those principles. Compared to the patchwork of regulation in the United States, the EU’s directive makes it fairly easy for companies doing business there — in the sense that they at least know there are consistent rules to play by.

Of course, those rules tend to be stricter than those imposed by American authorities. If you’re doing business with European consumers online you generally face more robust disclosure requirements, for example, and just as EU law in general favors individual’s rights over corporations’, the directive gives EU consumers stronger protections than most stateside law. So a privacy policy that’s sufficient in the United States is wholly inadequate in Europe. The result is that a U.S. company may be able to decipher the rules, but complying with them is a daunting task. As The Guardian reported on July 22, 2014, Google must ask permission before creating a profile on users, a concept foreign in the United States where data is generally thought of as within the scope of a company’s ability to collect.

“In May, Europe’s top court reached a landmark decision ordering search engines such as Google to respond to individuals’ requests to remove old or personal information about them from search results for their own names,” The Wall Street Journal reported in July.

Thankfully, though, the EU years ago created helpful safe-harbor policies for American companies, allowing them to collect data in Europe (and ship it back to the United States) if they meet certain minimal standards, and receive a certification from the U.S. Department of Commerce. That certification allows American companies to advertise their compliance to European consumers—an important asset there, where citizens are generally suspicious of corporate data collection. Only U.S. organizations subject to the jurisdiction of the FTC or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation may participate.

In recent years European regulators have grown increasingly convinced that too many U.S. companies are receiving this certification without meeting the EU’s data-protection standards – an ominous situation for U.S. companies.

Two years ago the EU formed a commission to study the Data Protection Directive. The so-called Article 29 Working Party is studying every aspect of the directive, and has been issuing recommendations for adapting the directive in accordance with changes in technology and data use.

The recommended changes have so far been relatively minor. But at some point this year the working party should come in with some big suggestions. The scary part: we don’t know what those might look like. Even scarier: we don’t know whether the safe harbor provision will survive the revisions.

If it doesn’t, American companies would face an extremely difficult transition. Nearly every business would likely be forced to change the way it collects, transports and uses data collected in Europe.

Of course, we’re watching this closely and will provide whatever insights we can as it unfolds. For now, though, all we can really advise is to hope for the best.

Resources