The European Union (“EU”) is in the process of strengthening its digital data privacy laws, the far-reaching effects of which will be felt by any United States company doing business in the EU. The latest move toward implementation of the General Data Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain amendments to the current draft of the legislation. If passed, these amendments will further strengthen online data privacy and severely restrict the transfer of EU citizens’ personal data to non-EU countries.

1. GAMABrief:
Understanding the EU’s Data Privacy Reforms
The European Union (“EU”) is in the process of strengthening its digital data privacy laws, the far-reaching effects of which will be
felt by any United States company doing business in the EU. The latest move toward implementation of the General Data
Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain
amendments to the current draft of the legislation. If passed, these amendments will further strengthen online data privacy and
severely restrict the transfer of EU citizens’ personal data to non-EU countries.
EU’s
Privacy
Status
Quo
Currently, the 1995 Data Privacy Directive (“Directive”) regulates data privacy in the EU, directing each of the twenty-eight EU
member countries to create its own set of data privacy laws that comply with the Directive’s provisions. That means a company
with customers in all twenty-eight member countries must learn and comply with the unique data protection rules of twentyeight different countries.
To ease this burden, the U.S. Department of Commerce and the EU developed a Safe Harbor certification program under which
U.S. companies that can demonstrate an adequate level of privacy protection are able to transfer personal data outside the EU
without violating the Directive. To meet Safe Harbor certification standards, companies must implement privacy frameworks that
abide by seven principles on topics like notice, choice and data security. Thus, even with the ability to obtain Safe Harbor
Certification, U.S. companies operating in the EU must nonetheless pay special attention to the manner in which they handle
personal data or face sanctions by governing bodies in both the United States and EU.
The
Proposed
Overhaul
The October vote moves the EU one step closer to overhauling the inconsistent patchwork of country-specific rules and
replacing it with a single, uniform piece of legislation. The European Parliament is aiming to have the provisions of the Regulation
fully agreed upon by May of 2014 and to take effect two years after that. This may seem like a long way off, but the anticipated
changes are substantial and certain countries are already rushing to legislate their own stricter data privacy laws in the meantime.
Companies should begin preparing for the changes now. Once in force, companies whose data privacy polices have not been
updated to comply with the Regulation will be in violation of the law.
The new Regulation acknowledges the vast changes brought about by the growth of the Internet—changes concerning how
personal data is generated, stored, shared and viewed—and seeks to better protect the privacy of EU citizens. Influenced by this
goal and in light of the NSA’s secret spying activities, the European Parliament has just voted overwhelmingly in favor of every
proposed pro-privacy amendment to the latest draft of the Regulation.
A
few
of
the
key
changes
included
in
the
amendments
are
discussed
below:
•
Right
to
deleCon,
data
access
and
correcCon – Internet users have the right to have their online data deleted. Upon
request, companies—both big and small—must delete the personal data of the user and communicate the deletion
request to any third party to whom they sent the data. Moreover, companies must clearly explain to users what they do
with the user’s personal data and hand over the data upon request.
•
Informed
consent
– Users should be clearly informed about what happens with their data, and they must explicitly
agree to such use. That means companies must provide users with easy-to-understand privacy policies and only track
users if the privacy settings of the user’s browser clearly permit it.
A GAMA White Paper produced by Chris4na Gagnier & Emily Poole © 2013. Gagnier Margossian LLP. All rights reserved.

2. A
few
of
the
key
changes
(cont.):
•
Right
to
informaCon
and
transparency
– Companies must provide users with clear and easy-to-understand
information on how their data is collected, used and stored and must inform users when or if the company transfers
personal data to public prosecution authorities or intelligence services.
•
Data
transfer
to
non-­‐EU
countries – Companies may not transfer personal data of EU citizens to the authorities of a
non-EU country unless the transfer complies with European law. This means that communication and Internet companies
may no longer hand over data to U.S. authorities unless explicitly allowed by EU law or an international treaty.
•
IdenCfying
data
– All data which can directly or indirectly identify an individual, even if it comes from a mass collection
of “Big Data,” must be protected. In this way, the Regulation is encouraging pseudonymized data that cannot be linked to
other data.
•
Heavy
sancCons – Companies that violate the Regulation will face tough sanctions. Violations could result in fines up to
the greater of 100 million euros ($137 million) or 5% of the company’s annual worldwide revenue.
•
Privacy
by
design – Companies should operate with a “Privacy by Design” mindset: develop and integrate privacy
procedures into every level and aspect of their operations. Further, companies should minimize their data use and
collection practices and implement the most data protection-friendly settings possible. In other words, companies should
only collect data that is necessary for the functioning of their service. Users should also be able to use services
anonymously or pseudonymously.
•
Data
protecCon
officer – Companies that regularly deal with personal data must appoint a data protection officer. The
size of the company does not determine whether such an officer is required, rather the amount and relevance of the
company’s data use and collection practices will make this determination.
•
Uniform
enforcement
of
the
rules – A European Data Protection Board will ensure the data protection law is applied
consistently throughout the EU. In this way, companies may not avoid strong data protection laws by racing to those
countries with weak law enforcement, nor will they be unwittingly subject to the more aggressive data enforcement
practices of countries like Spain or Germany.
Preparing
for
the
Change
While the Regulation has not yet been finalized and certain provisions will likely be amended, companies can and should begin
taking steps to prepare for the inevitable changes. First, companies should review their privacy policies to ensure they are
accurate and up to date. Some policies may need to be re-written to comply with the requirement that they be clear and easyto-understand. Second, companies should appoint a Data Protection Officer. An existing employee may be able to absorb the
role, or the company should consider hiring outside legal counsel to take on the position. Third, companies should conduct an
audit to determine their strengths and weaknesses with respect to privacy. The results of the audit will help the company
determine whether its privacy safeguards are sufficient and will reveal whether the company is collecting more data than
necessary. Finally, companies should experiment with and test their privacy controls. Any errors or oversights could result in
sanctions and/or substantial fines.
For
more
informaCon
or
guidance
on
geOng
your
business
ready
for
the
new
EU
privacy
regulaCons,
contact
a
privacy
aPorney
at
Gagnier
Margossian
LLP.
Internet
Intellectual Property
Privacy
Social Media
Technology
The Good Stuff
#nerdlawyers
Los Angeles
Sacramento
T: 415.766.4591
F: 909.972.1639
E: consult@gamallp.com
gamallp.com
@gamallp
San Francisco