In addition to the European Court of Justice’s rejection (and invalidation) of the 16 year-old Safe Harbor mechanism between Europe and the United States (which is discussed in more detail below), the European Commission approved a reform of its own data privacy regime (on December 15, 2015). The new regime is an attempt by the Commission to rationalize the regulation of data collection and data privacy throughout the European Union.
Prior to this, regulation was done at a national level under the auspices of a series of very high-level directives promulgated by the European Union. Each jurisdiction within the Union had, and has, a privacy directorate that promulgates and implements rules implementing the Directives within that jurisdiction. The countries of the EU have approached privacy from a number of different perspectives, ranging from a relatively light touch in the United Kingdom to very comprehensive and restrictive regimes in places like France and the Netherlands. The result has been a complex patchwork of laws that vary considerably within the countries of the EU, making things such as e-commerce and privacy compliance challenging. Nor did the complexity stop at the national level. Some German provinces have very active provincial privacy directorates, with the result that privacy law in Germany in some cases varies by province.
To say the least, this patchwork created headaches for businesses subject to it, which is to say virtually every business on the continent, since the all of them at least capture information about their employees, but may also capture it about customers and business partners and a great many other parties.
The new framework attempts to replace all of this with a single regulatory scheme. In theory, this will make things easier for businesses, since a single solution for any privacy issue will in theory be valid throughout the EU. The new regime will also eliminate a couple of noteworthy headaches. So, for example, organizations that are not in the primary business of data collection will no longer need a privacy officer. And, organizations will no longer need to file notifications with national authorities respecting their data collection activities.
On the other hand, there are some clear downsides to the new regime that are apparent even at this early time. Foremost among them are penalties. Penalties for violations can run as high as 4% of worldwide revenues of an organization. That’s extremely high, and could be billions of dollars in the case of a very large multinational. The second issue is uncertainty. National privacy directorates will not go away. Rather they’ll be in charge of interpreting and implementing high level rules promulgated at the EU level. That means uncertainty – one thing we’ve learned in the United States is that uniform laws don’t stay uniform very often. Instead, what happens is that each state decides to put its own little wrinkle in the uniform law and the next thing you know they’re not uniform. Thus the presumed predictability of the uniform law rapidly evaporates. Given the flexibility that the EU apparently intends to give to national privacy directorates, it’s almost a certainty that the more active among them will continue to be active, interpreting the high-level direction from the EU very strictly, and enforcing it’s own interpretations very aggressively, with the added incentive being able to impose massive financial penalties on organizations deemed to have committed a violation. Another thing we’ve learned is that cash-starved governments are pretty aggressive when it comes to nicking big companies for regulatory violations when there’s a big payday involved.
There are other annoyances as well. Thus the so-called “right to be forgotten,” which allows a person to have their data removed from the world when they no longer want to be there, is now enshrined in law. There are, to say the least, some technical issues with the feasibility of this in the data era, so exactly what’s going to happen with provisions like this is all uncertain – except perhaps for the big monetary penalties they’ll hit companies like Goggle with for failing to comply.
What is certain however is that we are now entering into a period of uncertainty. The regime itself does not actually come into effect until 2017. And, it will take a considerable period of time thereafter for the national privacy directorates’ ramp-up for the new regime. And as with any statutory enactment, it will take a considerable period of time before a body of regulatory enforcement actions and case decisions builds up so that affected organizations can see how the law actually operates in practice.
Another thing that’s certain is cost: everybody has spent a lot of money and time complying with the current set of regulatory regimes, and undoubtedly, the changes will force additional expenditures for compliance, particularly since the penalties are so high. And for a few years, it’s a guessing game, as companies build processes and technology in anticipation of rule and decision that don’t yet exist, but for which the will be responsible for complying.
We live in interesting times in many ways, and this will be no different. Whether or not the new regime is beneficial to commerce in the EU renders it remains to be seen. But, it’s an interesting experiment. As for the unfolding saga of the Safe Harbor agreement rejection, the EU and U.S. have announced (as of February 9, 2016) a legal mechanism called The Privacy Shield which is supposedly going to facilitate the legal transfer of commercial data from Europe to the U.S. However, the details of the Privacy Shield and how it will be implemented have not yet been released. Supposedly the final document outlining the Privacy Shield will be submitted to a working group within 3 to 4 weeks (as of this writing). So keep looking back here for updates.