New EU Data Privacy Laws Affect All of Us

by francine Hardaway on January 3, 2012

Privacy may not be dead, especially in the EU, where new privacy laws have been drafted and are expected to be enacted soon. The Europeans are not fans of Mark Zuckerberg’s theory that people want to share everything, or of Eric Schmidt’s view that privacy is dead.

My friend Jeff Jarvis travels a bit to Germany, and he has shared in his book Public Parts how the Germans feel about Google Street View: they hate it and they created enough pressure on Google that Germans are allowed to conceal their locations if they wish. This has been a source of some humor on “This Week in Google,” where that privacy-seeking country is now referred to as “Blurmany .”
Meanwhile, in Ireland, a young law student complained to Irish regulators about Facebook’s  privacy controls after he made an examination of its policies, the regulators audited Facebook and asked it to create additional statements explaining information retention policies, visual photo tagging, and data collection from users who aren’t logged in. As a result of the results of the first audit, Facebook had to agree to twenty more years of audits!
And on my own recent trip to Europe, Neil Wallis, a Partner in FIeld, Fisher, Waterhouse LLP gave a group of us the download on upcoming changes to the EU privacy laws. 
In case you want to quit reading here, the headline is that the laws are getting more stringent and they will now apply to companies that do business with individuals in the EU even if their equipment is located outside the EU. So a US/Indian/Japanese business dealing with EU citizens will have to comply with EU data laws. 

The new law will allow the use of  personal data only when it is needed (when anonymous data will not do), collecting only what is needed (if you don’t need my nationality/gender/DOB don’t ask for it), and deleting the information once you’ve finished with it. The Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice. Consent is being tightened up.  Words such as ‘specific’ ‘informed’ and ‘explicit’ are being used to describe it.

In other words, you can always use my personal data to perform the contract (invoice me, address the delivery of the goods, etc).  A doctor can use my medical records to treat me without asking for my permission (if i were unconscious) because that’s needed to protect my vital interest.  But some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten, followed closely by data portability.

As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the duty to appointment a data protection officer.  if a country outside the EU asks for data considered private by the EU law, the data probably won’t be provided 

 As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.  


And last but not least, in Wallis’ words, ” the promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.”

Bigger and better fines. Now you know what’s coming.



Leave a Comment

Previous post:

Next post: