The current European data protection regime is founded on Directive 95/46/EC dated 24 October 1995. Being a directive, it has indirect effect meaning that the Member States are required to implement the Directive into local law by passing local enabling legislation. Additionally, national courts have the responsibility of fulfilling European Union (EU) obligations by interpreting domestic law consistently with the Directive. As a result of this and the inevitability of the fact that local legislation will be implemented differently across the 28 Member States of the European Union and indeed the wider European Economic Area (or EEA), the current European data protection regime is somewhat fragmented with different Member States interpreting the Directive into local law differently. Consequently, inconsistency in the European data protection regime across the Union has been the result, with companies operating across the EEA having to comply with a multiplicity and variety of obligations in the different jurisdictions coursing the region.
To resolve this issue, in January 2012 the European Commission proposed a comprehensive reform of the Union's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. For the private sector, this has been done by proposing a draft Regulation . Regulations, as opposed to directives, have direct effect which mean that with effect from the date on which they come into effect (this date or time period is stated in each regulation), the regulation will come into effect in the same way in each Member State (unless stated otherwise).
The Regulation has, in its relatively short and still not finalised draft versions, already been the subject of much debate, both within the relevant European institutions of the Council, Commission and Parliament (and their relevant committees) as well as without, with consultations having been conducted by various state and parastatal organisations in most, if not all, of the Member States. The Greek Presidency of the
European Union which runs for the first half of 2014 signalled it as a priority of its presidential term to obtain agreement on the final draft of the Regulation but, at the time of writing this article in April 2014, it is clear that this will not be achieved. Whether a final agreed draft will be ready during 2014 remains to be seen - if it is, and on the current drafting, the Regulation would come into effect in each Member State two years after it was published in the Official Journal of the European Union (or OJEU), so sometime in the latter part of 2016 or early 2017.
One continent, one law: A single, pan-European law for data protection will be established, replacing the current inconsistent patchwork of national laws. The benefits of which are estimated at €2.3 billion per year , primarily in the form of cost savings to industry which will not have to comply with a multiplicity of privacy regimes across the Union and only have to obtain certification for various activities in a single Member State (the so called "one stop shop" referred to below).
Fines: Data protection authorities will be able to fine companies which do not comply with the new rules up to EUR 100,000,000 or 5% of their global annual turnover.
Right to be forgotten: The right given to data subjects (that is, the individuals to whom the personal data relates) who no longer want their personal data (that is, data from which they can be identified and which relates to them; for example, their name, address, age, gender and so on) to be processed and there are no legitimate grounds for retaining it, to require that the data controller (that is, the entity which controls the manner and reasons for which the personal data is processed) of that data to delete it.
One-stop-shop: companies operating in the European Union will only have to deal with one single supervisory authority, not one in each jurisdiction of the EEA, making it simpler and cheaper for companies to do business and obtain approvals across the region. If a supervisory authority gives its approval in one jurisdiction to a particular course of action then this will be valid across the region.
Explicit Consent: The rules around the requirement of consent from data subjects to permit data controllers to perform certain activities in relation to that data subject's personal data will be tightened, and there will be a more onerous requirement on data controllers than is currently the case to obtain this consent explicitly (the so called "opt in" approach, rather than the currently quite common " opt out" one where -
data subjects are required to tick a box if they do not, for example, want to receive additional mailings and so on).
Mandatory Breach Notification: Businesses and organisations will also need to inform the relevant supervisory authorities, as well as the data subjects concerned, as soon as possible about data breaches and data hacks. Currently, there is a smorgasbord of approaches to this requirement across the European Union, with some Member States demanding mandatory notification across the board, with others (such as the United Kingdom) only requiring it for particular sectors (for example, public authorities, ISPs and telcos).
Data protection as a priority, not an afterthought: ‘Privacy by design’and ‘privacy by default’will also become essential principles in EU data protection rules, meaning that data protection safeguards should be built into products and services from the earliest stage of development, and that privacy-friendly default settings should be the norm rather than the exception (for example on social networks and mobile apps).
Same rules for all: Today companies established in the EEA have to adhere to stricter standards than companies operating outside the EEA but which also do business in the region. The reform is aimed at ensuring that companies based outside Europe will have to apply the same rules as those established within, creating a level-playing field. The policing and enforcement of this feature is likely to be tricky and concerns have been raised about the purported extra-territorial effect of this part of the Regulation.
The privacy framework in the United States of America (US), outside of the government context, consists of federal regulation and a patchwork of state laws. At the federal level, there are two significant statutory schemes: the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”). These laws are sector-specific: HIPAA applies to the handling of “protected health information”by “covered entities”and their “business associates”, and the GLBA regulates the handling of “non-public personal information”by “financial institutions”. In sharp contrast to these detailed regulations, the Federal Trade Commission (“FTC”) has general enforcement authority over privacy and consumer protection (among other things) pursuant to the FTC Act’s prohibition of “unfair or deceptive acts or practices in or affecting commerce”.
In recent history, the US has followed a “notice and choice”model, under which consumers should receive notice of an business’s information collection and use practices and be provided with an opportunity to exercise informed choices with respect to those practices. In addition to FTC enforcement, some states have passed laws along those lines. For example, California requires that website operators post privacy policies, and requires those operators to disclose choice mechanisms with respect to certain practices . There is ongoing debate over the adequacy of notice and choice to address privacy concerns given today’s data collection by numerous behind-the-scenes players and/or through numerous interconnected sensors and devices.
For most sensitive health data, the HIPAA Privacy Rule sets national standards for the treatment and disclosure of protected health information, and gives patients various rights . For data held by financial institutions, the GLBA Privacy Rule sets forth standards for the treatment and sharing of consumers’nonpublic personal information, and requires that consumers be notified of their financial institutions’information collection and use practices, as well as the consumers’options for limiting such use, on at least an annual basis.
Forty-six states and the District of Columbia have breach notification statutes requiring entities to inform individuals (and sometimes state regulators as well) when certain events breach the security of the individuals’personal information. These state statutes vary as to a number of factors in determining whether notification of a breach is required, including the format of the information (electronic or paper) and/or the extent to which the breach poses a risk of harm to consumers . A few states also impose general baseline requirements for the secure treatment of personal information.
For protected health information, HIPAA’s Security Rule requires the implementation of appropriate administrative, physical, and technical safeguards. Similarly, under
the GLBA, a Safeguards Rule imposes obligations on financial institutions with respect to the security of records containing nonpublic personal information . Notably, there is also a detailed set of security standards that govern the handling of payment card data, as established by the Payment Card Industry Security Standards Council. Although these rules, embodied in the Payment Card Industry Data Security Standard (“PCI DSS,”current version 3.0), are technically an industry standard, they have the force of law because of significant penalties that may follow non-compliance, and at least one state has even passed a law requiring PCI DSS compliance.
Outside of these sector-specific requirements, the FTC has used its “unfair[ness]”authority (with some controversy) to impose minimal data security standards on businesses that handle consumer data.
Notably, a particularly key and increasingly important aspect of data security compliance is oversight of service providers and vendors who have access to personal information. Appropriate compliance measures generally involve (i) a reasonable exercise of diligence in selecting service providers and vendors with sound data security practices, (ii) contractually requiring those service providers and vendors to treat and secure information appropriately, and (iii) some level of ongoing oversight, as appropriate for the risk and type of data handled.
No longer is the focus just on data security and information technology –companies of all sizes are now realizing they also must embrace cyber (i.e., systems) security and the so-called “Internet of Things”. So, in recognition of this, President Obama issued an Executive Order on cyber security in February 2013 which mandated cooperative measures between public and private sectors re: “critical infrastructure”and the development of a broadly-applicable cybersecurity framework by a national standards-setting body.
In February 2014 the US Department of Commerce’s National Institute of Standards and Technology released that framework: the Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0). The Framework provides guidelines for organizations handling financial, energy, health care, and other critical systems to follow in managing cybersecurity through risk-based application of principles and best
practices. Included within the Framework is a construct of risk-based self-assessments whereby organizations may review their practices in a number of categories and subcategories within five different functions (identify, protect, detect, respond, and recover), and assess the degree to which their cyber security practices exhibit the characteristics of the Framework using a four-tier scoring system (ranging from Tier 1 (partial) to Tier 4 (adaptive)). The Framework is not meant or designed to impose particular obligations on organizations, but rather to assist organizations in designing risk-based cybersecurity programs or assess programs that are already in place. It remains to be seen how useful the Framework will be. If nothing else, the Framework reflects that ongoing self-assessment is key, and the “detect,”“respond”and “recover”functions are a poignant reminder that a state of cyber-attack should be assumed for any Internet-connected enterprise today.
Although the US does not have a data transfer law as such, it is expected that a company will know where and by whom personal data may be accessed, and that underlying security standards and restrictions on use will be satisfied. The transfer of data to service providers should be evaluated in connection with the risk-based level of controls and service provider oversight discussed above.
The existing EU Directive, on the other hand, provides that personal data should not be transferred outside the EU unless:
a. the destination country has ‘adequate levels of protection’, which will be assessed in the light of all the circumstances of the transfer. Certain countries have been designated in advance as having these "adequate levels of protection for the purposes of the Directive;
b. the data subject has been given his/her explicit consent to the transfer;
c. it is necessary in relation to a contract or a legal claim or where protection of an important public interest so requires;
d. the data transferor and data transferee have signed up to and appended the Model Contract Clauses to the relevant agreement between them in respect of which the transfer of personal data is to take place; or
e. where appropriate safeguards are in place to compensate for not meeting EU standards for adequate level of data protection, for example the Safe Harbor Scheme and Binding Corporate Rules.
On 26 July 2000, the Commission adopted Decision 520/2000/ECrecognising the Safe Harbor Privacy Principles and Frequently Asked Questions issued by the Department of Commerce of the United States.
As this note shows, given the significant differences in privacy regimes between the US and the EU, the Safe Harbor decision allows for the free transferof personal data from EU Member Statesto companies in the US which have signed up to the Safe Harbor scheme in circumstances where that transfer would otherwise not meet the EU standards for adequate level of data protection.
The scheme require substantive protection of personal data (data integrity, security, choice, and onward transfer principles) and of procedural rights of data subjects (notice, access, and enforcement principles). A US company adhering to the Safe Harbor Scheme must not only comply with the scheme, but identify in its publicly available privacy policy that it adheres to them. Moreover, they must submit a self-certification of this to the US Department of Commerce annually. The reliance on self-certification and self-regulation has been criticised, however, by some Member States’data protection authorities.
Deep deficiencies in the scheme have recently been highlighted by revelations about US intelligence collection programmes. In 2013 Edward Snowden, an employee of the US National Security Agency. (the NSA) alerted the media to the extent of US intelligence surveillance programmes. The NSA were subsequent to these revelations found to have spied on European citizens, companies and political leaders, including Germany’s Chancellor Angela Merkel and the French President Francoise Hollande. This has understandably underminedtransatlantic relations and the trust on which the Safe Harbor Scheme is based.
In order to restore relations, in November 2013 the Commission made 13 recommendations to improve the functioning of the Safe Harbor scheme, calling on US authorities to provide remedies by the summer of 2014. The European Commission will then review the functioning of the scheme based on the implementation of these 13 recommendations and decide on the future viability of the Safe Harbor.
The President of the European Council, Herman Van Rompuy, outlines the current status of this in his statement on 26 March 2014: “On the governmental track, we’ll have an umbrella agreement on data protection by this summer, based on equal treatment of EU and US citizens. On the commercial data track, the US have agreed to a review of the so-called Safe Harbour framework. Transparency and legal certainty are essential to transatlantic trade”.
Multinational groups of companies can adopt internal Binding Corporate Rules ("BCRs"), such as a Code of Conduct, which define its global group policy in relation to international transfers of personal data within the same corporate group. In order to be effective, the BCRs must be approved under the EU cooperation procedure to confirm that they provide adequate safeguards in keeping with the meaning of Article 26 (2) of the Directive 95/46/C. Once approved, the BCRs allows personal data to transfer internally within the multinational group from the EEA to companies located in countries lacking an adequate level of protection. Without these BCRs in place, the company would have to sign more onerous standard contractual clauses each time it transfers data to a member of its corporate group outside the EEA.
Although there are many advantages to BCRs which have been widely welcomed, they have their downsides. The main issue with BCRs is the absence of a streamlined mechanism for approval by the relevant Data Protection Authorities across the EEA and the fact that the process for obtaining clearance from all the authorities for the BCRs in the first place is somewhat unattractive, being relatively complex and time-consuming. In addition, if the BCRs are used, a detailed compliance and audit programme must also be in place, which can be a further and ongoing drain on resources. All of these factors have combined to make it difficult, expensive and time-consuming for companies to achieve BCR approval, factors which have made the BCRs a somewhat under-utilised mechanism. The draft Regulation has provided what is hoped to be a simpler process for obtaining BCR approval (primarily through utilisation of the "one stop shop" approval process) as it is hoped that this mechanism (which is, at least on paper, quite a sensible and attractive method of dealing with intra-group transfers of personal data) will obtain a higher rate of adoption across the EEA.
Given the constantly evolving technology of today, and the increasing ease with which all data, let alone personal data, can be transferred, European law on data protection needs to to continue developing to keep pace with technology. There exists a certain trepidation amongst many data protection officials and privacy groups surrounding the privacy implications of certain evolving technologies, such as “Google Glass” and the “Internet of Things” , and the need to address these and other issues with a more up to date piece of legislation than the 1995 Directive.
There is undoubtedly an element of a “fear of the unknown”surrounding these technological developments, but there is also most certainly a substantial degree of merit in the privacy concerns which have been raised about a number of these developments, and they do highlight the need for a single, up to date pan-European law regulating data protection, the security and processing of personal data, as well as its transfer and use.
As this article has explored, the US arguably has some way to go in restoring transatlantic data protection relations, which is yet to be seen in the improvements of the Safe Harbor Scheme. On the other hand, the EU needs to ensure that its privacy concerns and related legislation offer practical and workable solutions, which do not over-legislate and come at a high cost to industry, all of which will, we hope, become clearer once the draft Regulation is eventually passed, hopefully later this year or in early 2015.
As mentioned, the “notice and choice”model is not likely to suffice for the future. It may be that the US will eventually need to adopt a baseline set of privacy rights and expectations similar to that in the EU (instead of leaving those baselines up to companies and then punishing them if they handle that responsibility “unfairly”). Theoretically, the US Congress should be able to address privacy concerns and reach consensus on some aspects of data security in order to pass federal legislation, but they haven’t been able to do so for a number of years now.
Other interesting challenges will continue to arise in connection with what has been called “Big Data”. As enterprises and their service providers collect and manage massive amounts of data, there is a need to set rules on use and, more fundamentally, to establish accepted practices for “anonymization”or “de-
identification”. There will continue to be more use of the “cloud”for storing and processing volumes of data, even by large enterprises that historically had stored all of their data in-house. Although the “cloud”has characteristics of a utility service, the risks are significant, especially for large-scale enterprise implementations. Risk management tools (such as cybersecurity insurance coverage and security certifications) continue to emerge and mature.
Privacy and data security in the US, like technology, continue to evolve. As data becomes more universally recognized as a critical asset, corporate boardrooms and executive suites will continue to become more interested in its appropriate protection and use.