EU Significantly Expands Data Protection Laws

April 25, 2016

Data privacyThe European Parliament recently expanded the scope of European data protection significantly.  Those changes will be fully effective in the European Community within two years.  They will have notable impact on American businesses operating in Europe.

The new laws require that parties who collect or process private data associated with individuals first provide clear and understandable descriptions of their privacy policies and obtain “clear and affirmative consent” from the individuals involved for all of the specific uses of the data.  This requirement places an obligation on the party collecting or using the personal data to obtain specific consent.

The new privacy rules also adopt the concept of the “right to be forgotten.”  This requirement obligates parties who provide access to information associated with specific individuals to terminate that access when the information involved is no longer accurate or is out of date.

Under the new rules, individuals have a right to transfer their private data to service providers of their choice.  Additionally, individuals have the right to be informed when their private data has been compromised through hacking or some other form of unauthorized data access.

Matsuura Blakeley BannerThe laws attempt to foster standardization among European law enforcement authorities with regard to personal data collection, use, retention, and sharing.  Under the new rules, law enforcement organizations in the European Community are required to coordinate their policies and practices associated with data collection and use.

The new data protection laws provide substantial penalties for violations.  Under the new rules, privacy authorities in Europe are authorized to impose fines up to a maximum of four percent of the total global revenues of a business in the event of violations of the new data protection requirements.

The new laws substantially expand the scope of data protection in Europe.  This broader scope of coverage is likely to complicate the ongoing negotiations between European and American authorities regarding adjustments to the data protection and privacy requirements of American businesses when handling European data.

All American businesses that operate in Europe or make use of European private data should review the new requirements carefully.  Alls such businesses must be prepared to comply with the new EU data protection obligations and that compliance is likely to be challenging.

This action by the European Parliament offers another example of Europe’s position as a global leader in data protection and information privacy.  The EU assumed that leadership role when it previously enacted its framework for data privacy and this recent extension of that policy framework demonstrates that the EU remains far more committed to fundamental principles of personal privacy than virtually any other government in the world.