Big Changes Coming in EU Privacy Law

The European Union is about to make major changes in its privacy law that will have a significant impact on U.S. companies that do even modest amounts of business in Europe. On January 25, 2011, the European Commission (the EU’s executive branch) released a long-awaited Draft Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (pdf).

While it will likely be a year or more before a final regulation takes effect, and there will almost certainly be amendments along the way, American companies – including those involved in the field of personalized medicine, where personal data is paramount by definition – should start paying attention now, since they may have to change the way that they do business in Europe.

We will provide a more detailed analysis of the Draft Regulation at a later date. In the meantime, here are some of the key issues we are examining:

  • It is significant that the Commission is acting by Regulation rather than Directive (as was the case with the current privacy law, enacted by Directive in 1995). A regulation is top-down, imposed uniformly throughout the EU, whereas a directive is adopted country-by-country, which gives individual nations the chance to make adjustments.
  • The EU is taking a very aggressive approach to jurisdiction, or its authority to regulate—and impose penalties on—U.S. and other foreign companies that do business in Europe. The Draft Regulation would cover all data processing activities (very broadly defined) by non-EU companies that involve offering goods or services to EU data subjects or monitoring their behavior.
  • Data subjects (also broadly defined) will have significantly more rights than under current EU law. For example, the company will have the burden of proving that every subject has given consent for the processing of their data for specified purposes. Consent is defined as “any freely given specific, informed and explicit [emphasis added] indication of will,” and can be withdrawn at any time. The subject will also have a controversial “right to be forgotten and to erasure.” This means that when the subject withdraws consent or “the data are no longer necessary” for the purposes for which they were collected, the company must render the data inaccessible, including on the Internet.
  • Along with data pertaining to race or ethnic origin, political opinions, religion or beliefs and trade-union membership, the Draft Regulation identifies “genetic data” as category of personal data designated for special protection. (The Draft Regulation defines “genetic data” broadly to include “all data, of whatever type, concerning the characteristics of an individual that are inherited or acquired during early prenatal development,” thus presumptively sweeping in all genetic information as well as family medical histories and other related health information.) Special protections include impact assessment and prior authorization of data processing operations, and activities lacking sufficient identification or mitigation of risks to individuals may be prohibited.

These are just a few of the more important features of the 96-page, 91-Article Regulation.

Elsewhere, the Draft Regulation would create other new rights and responsibilities and reaffirm and/or strengthen many provisions of existing law, including the current restrictions on transferring data outside of the EU. Ironically, the Draft Regulation notes that the “practical challenges to enforcing data protection legislation” across boundaries and the “risk of different levels of protection…creat[ing] restrictions on cross-border flows of personal data” between jurisdictions. While the Draft Regulation may ease some of these concerns within the EU, global companies seeking to move personal data in and out of the EU face a different calculus.

The draft must now be reviewed by several Directorates of the EU Commission before being submitted for review and approval by the Parliament and Council. But while full implementation will take some time—more than a year in most estimates—the proposed changes are so dramatic and far-reaching that U.S. companies doing business in Europe will require at least that much lead time to plan their compliance.