The European Union, originally through the medium of the Data Protection Directive , and, from 25 May, 2018 under the newer General Data Protection Directive, known as the GDPR, has enacted strong legal protection for individuals with respect to their personal data as gathered by third parties such as companies; other countries have followed suit, although not the United States. It is important to understand the Data Protection Regime and the new GDPR regime.
Companies gathering data on individuals based in countries with such data protection laws typically must implement various measures to protect against misuse of the data. In addition, export of personal data to countries without such protection, absent the consent of the individual to whom the data relates, is usually prohibited. Other countries around the world are enacting similar data protection laws and companies that store substantial amounts of data on individuals should be careful to track such developments.
The EU has approved a set of standard contractual clauses, which, if used in transfers of data to non-EU countries, should protect the transferor. See variously,
- Commission Decision 2001/497/EC of June 15, 2001 on standard contractual clauses for the transfer of personal data to third countries under Directive 95/46/EC, 2001 OJ L 181/19;
- Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries, 2004 OJ L 385/74.
There are “Safe Harbor Privacy Principles” issued by the United States Department of Commerce under an arrangement with the EU, which allows data exchanges with U.S. entities who agree to abide by them. The safe Harbor has now been superseded by a new EU/US system known as Privacy Shield, which will allow US (and Swiss) data processors to be compliant with the new GDPR.
The biggest change in the GDPR over the earlier Data Protection rules is that the GDPR is much stricter about when personal data of persons resident in the EU becomes or remains subject to EU data protection, very substantially increases fine levels (2-4% of turnover), and requires better informed consent to the collection of personal data, as well as more rigorous data keeping for such consents. In particular, it is much more necessary for international businesses with activities in the EU, especially with customer facing functions involving members of the public to consider their need to comply with EU data protection law.