This is an installment in a series of articles written by Alan Mark, the data privacy and legal expert at doxy.me. He writes about privacy, data protection, international data policies, and more. We think you will enjoy learning more about these important topics!
In the aftermath of World War II, the United Nations issued a Human Rights Declaration. It declared that “No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence…” European nations used that statement as the basis for their privacy laws.
In the 1980s, there was a need to promote transborder commerce and data flows while retaining the privacy of individuals. Although it was the beginning of the computer age, most personal details were still on paper.
Still, many of the principles from that period translated into the digital age. These included:
- only collect data for the reason that it was intended
- collected data must be kept safe
- if data are lost, the collector will be liable
The key caveat was that each nation could tweak the rules. Harmonization was needed. The culmination of the work undertaken by the European Commission was Directive 95/46/EC on the protection of individuals with regard to the processing of personal data. Its short name is the Data Protection Directive.
In 1995, the European Commission ratified Directive 95/46/EC to protect a citizen’s personal data—a milestone in privacy law.
Legislation continued as computers became common
In the years that followed, more directives were passed that filled holes created by the evolving computing and Internet-based industries.
Directives were enforced by each European member state (28 countries) with no governing body. And each country could tweak parts of the Directive. For instance, the minimum age to collect personal information was different in Germany than in France.
In addition, any personal data transfers outside the EU required that the non-EU country had at least the same level of data protection laws. In other words, was the receiving country’s laws “adequate”? If not, then a legal agreement was required that allowed EU regulators specific rights of actions over the non-EU company.
Some “adequate” countries are Canada, Australia, Argentina, and Israel. Notably absent: the U.S.
The EU member states works together
In 2016, EU member states got together to harmonize data privacy laws and create a governing body. The result was 99 articles called the General Data Protection Regulation, or the GDPR. It went into effect in May 2018.
The biggest change to the privacy world came in May 2018 when the EU General Data Protection Regulation, or the GDPR, became effective. It essentially gave the EU power to control their citizen’s data even when the data were located outside the EU.
Now, how can an EU court or government impose their laws on companies around the world? Logistically, they can’t. Instead, pressure is put on: 1) the EU company doing business with the foreign company; or 2) on the foreign company’s local EU office.
EU regulators have specifically targeted large U.S. tech companies because most big data companies are U.S.-based.
GDPR compliance has cost companies billions and impacts most firms worldwide that do business in the EU.
US companies must demonstrate compliance
Each company that controls or processes EU citizen data must provide evidence that it is adhering to the GDPR—or face penalties. In addition, the Supervisory Authority has the right to physically audit that company.
The penalties for non-compliance are up to 4% of global revenue or €20M (US$24M). Ouch.
That’s why EU companies want assurance (and legal agreements) that their employee/customer data will be processed with GDPR principles such as:
- there is a legal basis for processing personal data
- data are only processed for specific purposes
- individuals may request that their data be changed or deleted
- a company data protection officer is appointed
- data transfers are only to an “adequate” country or by special agreement
Keeping GDPR compliant requires monitoring changes of law and rulings—one of which was handed down in July 2021 by the European Court of Justice (ECJ). It ruled that, since the U.S. government could demand EU citizen data without permission, the U.S. was not deemed “adequate.” This invalidated the cross-transfer framework called EU-U.S. Privacy Shield.
The details of the ruling are complex. In the ordinary course of business, the U.S. government wouldn’t demand to see data in 99%+ of companies; the data are of no use to national security and surveillance activity.
In 2022, the chances of the U.S. Congress adopting any new digital information laws is low given the partisan politics in play. That leaves it for U.S. and EU agencies to best determine how to proceed with overseas data transfers.
Still, the fight goes on. Until the Privacy Shield program is changed, new agreements must be negotiated if data collection is likely “to result in a risk to the rights and freedoms of individuals.” Privacy officials always have plenty of work to do.