New EU Privacy Rules Detailed at Compliance Week Europe

As early as this spring, European Union officials will update privacy regulations with changes that will affect not just member nations, but anyone who does business there.

Delivering the keynote address to kick off the inaugural Compliance Week Europe conference, Peter Hustinx, head of the European Union's Data Protection Supervisor, discussed trends and changes afoot for data protection regulation in the EU. He spoke to attendees representing 75 different organizations in 17 countries.

It may take a couple of years for new requirements to be fully implemented, but companies should start now to get ahead of what is to come. For many, if not all, companies in the EU or doing business within it, that may entail formalizing the position of Chief Privacy Officer.

EU privacy mandates are nothing new; many date back to a directive issued in the 1990s. Technological advancements and the globalization of companies have made it necessary to refine and expand upon these established approaches, Hustinx said. The need is to make these safeguards “more effective in practice,” he said.

That effectiveness will come from establishing consistency throughout the EU. “We cannot afford responses that are slightly different in all 28 member states of the EU,” Hustinx said. “We need to be more consistent as data moves around the world.”

A draft of new regulations surfaced in January 2012 and faces nearly 4,000 potential amendments. It is a record number, but not necessarily an insurmountable challenge and Hustinx expects compromise amendments to set the stage for finalization by April.

How rough will it be for companies? Well, that depends. Companies already in compliance with past European standards, will be “well-placed” to continue to improve,” he says. “If you haven't done anything on this yet, you are very late. You need to catch up and cant wait.”

A notable change is that the current directive, intended to harmonize national requirements, will be replaced by EU regulation that will apply directly. Hustinx said this approach to consistency “feels quite revolutionary,” and will mean “answers will be the same everywhere,” country by country.

Another change is that “explicit consent” must be obtained from users. “That means that someone should say ‘yes,' or the behavior of that person should be so crystal clear that if is obvious their answer is ‘yes,'” Hustinx said. “Slippery assumptions” and check-the-box broad strokes will no longer be sufficient.

Transparency and accountability measures will be ramped up. Users must know explicitly what is happening with their data – where it goes and how it is used. They will have a right to access for all data that refers to them or are about you. Also included are more explicit rights for correction and deletion of data, described as “the right to be forgotten,” a perhaps radical departure from the traditionally immortal memory of the Internet. Companies will need to pay greater attention to retention and deletion processes.

Users will have a right to data portability, access in a form that can be exported and imported for other purposes imported, for example moving from one social network to another. A right to “collective action” is established that allows data subjects to join together and defray legal costs.

“Basic continuity,” will be part of the regulatory initiatives, a demand that companies undertake “all measures necessary to ensure compliance,” Hustinx said. “You have to demonstrate this has been done and go back regularly to ensure these measures are still working.”

“Privacy by design” will be a general legal principle, meaning that whenever new systems are developed they have to bake in privacy protections and verify that they were developed with privacy compliance in mind. Harsher penalties are on the table for non-compliance, up to 2 percent of worldwide sales.

To reign in overseas entities, companies are pushed to demand compliance contractually, or the new concept of “binding corporate rules,”  which is “basically a code of conduct imposing that certain rules be enforced for allowing data to be exchanged within a large corporate family.”

The coming EU regulations will likely demand a dedicated chief privacy officer for larger organizations. Hustinx says it is a concept whose time has come, for companies of all size. “There will be big incentives to have one,” he said. “It is at the heart of accountability.”