While European Union (EU) policymakers have debated for almost two years over revisions to the continent’s personal data protection law, recent allegations that the U.S. National Security Agency (NSA) is spying on European Internet communications is providing ample incentive for the officials to push for swift adoption of the current draft.
The stakes are high—not just for the EU and companies that operate there, but also for other nations that will have to try to reconcile the European mandate with their own. This new law is likely to force many companies to drastically change their business model and reorganize operations, which will push operating costs higher. While those businesses that rely heavily on online advertising and data processing, such as publishers and web giants, will likely be the most affected, the proposed changes will have an impact on all organizations holding or processing EU citizens’ data—even if it’s data from clients or employees and whether or not the organization and its servers operate in Europe.
While it is still unclear how the EU intends to have European rules apply to organizations outside its borders, European leaders have clearly stated their intention to lead by example and set a global standard for personal data protection. That goal puts the Union up against the sovereignty of other countries to set the rules on their own territory.
What’s to be expected then? The most emblematic provisions of this 80-page draft law oblige organizations to:
- Get explicit consent from a person prior to processing their data;
- Provide for a right to be forgotten that guarantees the erasure of personal data upon request;
- Compels organizations to prioritize the privacy of data at every level of their operations and with each use;
- Notify a supervising authority, such as the national data protection authority where a company has its main EU establishment, about personal data breaches within 24 hours.
A breach of these rules could lead to fines of up to 2 percent of a company’s annual global turnover. The proposed law also foresees the introduction of a pan-European class action system, a development likely to push compliance costs even higher.
The elephant in the room of the EU data protection debate has always been international data transfer i.e. the ability for an organization to transfer data from the EU to other countries. And now with the recent NSA revelations, calls for stronger EU rules for international transfers are more adamant than ever. For instance, the leader of a French IT company recently called for making it compulsory to store EU citizens’ personal data in Europe only. Such a measure could force companies to use or build data-storing facilities in Europe and even split centralized direct marketing programs between the U.S. and Europe, dramatically pushing up costs. Already, some EU policymakers have made calls to suspend the Safe Harbor program—a streamlined process for U.S. companies to demonstrate compliance with EU privacy rules—as the EU awaits clarifications from the U.S. on the allegations.
The last shock waves from the NSA disclosures have not been felt. When the NSA story broke, there were calls to suspend the Transatlantic Trade and Investment Partnership negotiations, which started in July. Viviane Reding, the EU commissioner in charge of data protection, temporarily quieted that talk with assurances that personal data wasn’t on the table at the moment. With the European elections, set for May 2014, only eight months away, EU policymakers are doing their best to finalize the reform. If they don’t succeed, there’s a chance that privacy—and its connection with the NSA allegations—could play a role in that campaign debate and will certainly be first up on the agenda when the new policymakers take office.