The Global Impact of the EU's New Rules on Data Privacy

When Facebook began readying its IPO, the social network's S-1 regulatory filing to the Securities and Exchange Commission (SEC) ticked off a list of potential risk factors ' among them, global data privacy regulations that could impact the business.

Only a week earlier, the European Commission came out with a new proposal on data protection regulations that won't apply just to companies like Facebook (see, http://bit.ly/x2IsXY).

“Every company that looks to sell to an EU consumer will be caught by this,” says Cynthia O'Donoghue, co-head of the data privacy, security, and management group at Reed Smith in London.

Though the proposal is years away from being finalized, the fundamental differences in how Europe and the U.S. think about privacy is what has tongues wagging already. “All of this stems from the belief in Europe that a person owns their own data,” says O'Donoghue.

In some areas, the proposal promises to streamline compliance. The EU's 1995 directive on data privacy set a baseline for data protection standards that countries could build off of or tweak. “Some countries had a higher degree of protection, some countries had different sorts of compliance requirements,” says Stuart Levi, co-head of the intellectual property and technology group at Skadden, Arps, Slate, Meagher & Flom in New York.

The proposed regulation would essentially create a single, unified law that applies to all member states. Companies would also have to deal with a data protection authority in one country ' as opposed to 27, which would ease the administrative burden for companies, says Levi.

But there are areas where there will be more challenges. The proposed law requires that companies obtain “specific, informed, and explicit consent” in order to use a person's data. That's commonly thought of as an “opt-in” model, “meaning we won't use your data unless you check this box saying we can,” says Levi.

Personal data is considered “any information that directly or indirectly identifies a person,” says O'Donoghue. The proposal would also apply to the aggregation of data, such as a profile consisting of a person's IP address and click-through pattern ' even if a company does not know the name of the user, O'Donoghue says.

The proposal's incorporation of the “right to be forgotten” gives users the right to tell a company to erase all of their data ' including data that winds up on a third-party site, even if the company didn't put it there. That basically makes companies “responsible for the full chain,” says O'Donoghue, no matter where the data ends up.

Levi sees the proposal's “right to portability” as slightly more problematic in a commercial context. Under this premise, the user of a social network, for example, who wanted to retrieve his or her data and migrate to another site could say: “I'd like [my data] all back in a nice neat box so I can give it to another social network competitor of yours,” Levi says.

“What I think a lot of companies will find troubling with that is it gives me the commercial burden to store your data in a way I can give it back to you, in a form that's reusable for someone else,” says Levi. “I can see it being a big area of debate.”

The proposal's requirements on 24-hour data security breach notification could also drive a global change in company response, according to Levi. In the U.S., for example, while there's no federal law on notification, many companies will defer to the state law that imposes the strictest requirements.

Similarly, says Levi, “by having a broad European regulation that might be stricter than what U.S. states require, it could change the way companies deal with data security breaches if you have EU data as part of your data.”

Catharine Dunn is a reporter for Corporate Counsel magazine, an ALM affiliate of e-Commerce Law & Strategy.

When Facebook began readying its IPO, the social network's S-1 regulatory filing to the Securities and Exchange Commission (SEC) ticked off a list of potential risk factors ' among them, global data privacy regulations that could impact the business.

Only a week earlier, the European Commission came out with a new proposal on data protection regulations that won't apply just to companies like Facebook (see, http://bit.ly/x2IsXY).

“Every company that looks to sell to an EU consumer will be caught by this,” says Cynthia O'Donoghue, co-head of the data privacy, security, and management group at Reed Smith in London.

Though the proposal is years away from being finalized, the fundamental differences in how Europe and the U.S. think about privacy is what has tongues wagging already. “All of this stems from the belief in Europe that a person owns their own data,” says O'Donoghue.

In some areas, the proposal promises to streamline compliance. The EU's 1995 directive on data privacy set a baseline for data protection standards that countries could build off of or tweak. “Some countries had a higher degree of protection, some countries had different sorts of compliance requirements,” says Stuart Levi, co-head of the intellectual property and technology group at Skadden, Arps, Slate, Meagher & Flom in New York.

The proposed regulation would essentially create a single, unified law that applies to all member states. Companies would also have to deal with a data protection authority in one country ' as opposed to 27, which would ease the administrative burden for companies, says Levi.

But there are areas where there will be more challenges. The proposed law requires that companies obtain “specific, informed, and explicit consent” in order to use a person's data. That's commonly thought of as an “opt-in” model, “meaning we won't use your data unless you check this box saying we can,” says Levi.

Personal data is considered “any information that directly or indirectly identifies a person,” says O'Donoghue. The proposal would also apply to the aggregation of data, such as a profile consisting of a person's IP address and click-through pattern ' even if a company does not know the name of the user, O'Donoghue says.

The proposal's incorporation of the “right to be forgotten” gives users the right to tell a company to erase all of their data ' including data that winds up on a third-party site, even if the company didn't put it there. That basically makes companies “responsible for the full chain,” says O'Donoghue, no matter where the data ends up.

Levi sees the proposal's “right to portability” as slightly more problematic in a commercial context. Under this premise, the user of a social network, for example, who wanted to retrieve his or her data and migrate to another site could say: “I'd like [my data] all back in a nice neat box so I can give it to another social network competitor of yours,” Levi says.

“What I think a lot of companies will find troubling with that is it gives me the commercial burden to store your data in a way I can give it back to you, in a form that's reusable for someone else,” says Levi. “I can see it being a big area of debate.”

The proposal's requirements on 24-hour data security breach notification could also drive a global change in company response, according to Levi. In the U.S., for example, while there's no federal law on notification, many companies will defer to the state law that imposes the strictest requirements.

Similarly, says Levi, “by having a broad European regulation that might be stricter than what U.S. states require, it could change the way companies deal with data security breaches if you have EU data as part of your data.”

Catharine Dunn is a reporter for Corporate Counsel magazine, an ALM affiliate of e-Commerce Law & Strategy.