Client Alert

"Perfect Storm" of EU Data Law Changes; New 2% of Global Revenue Fine Announced. Are you Ready?
Authors: Rafi Azim-Khan

2/8/2012
The EU proposals announced a few days ago are just the latest developments over recent months which have seen major data protection law changes come into force that affect not just UK or EU companies but any company, particularly US, deemed to be caught "processing" EU data. New fines increasing penalties from £5,000 to £500,000 per offence, implementation of the E-Privacy Directive (and new restrictions on cookie use, tracking and customer profiling), a newly appointed enforcer in the UK, new website policing for the first time and so on have all helped focus attention on what has been for many a hitherto "bothersome" or "dull" compliance topic.

Increased prosecution risk/fines – Note not just proposals but new law already in force
The push for much more regulation and, in particular, aggressive fine levels and enforcement is actually the end result of too many companies taking a half-hearted approach to DP compliance, a view expressed by the enforcers along with increasing impatience and greater appetite for enforcement action.

Facebook has recently been prosecuted, with the German enforcer breaking off dialogue saying that further discussions with the social media giant were "pointless."

The new EU proposals reflect this with a new Regulation to force through the new law with no variances, application of the rules to non-EU companies targeting/doing business in the EU, new rights such as "to be forgotten" and other changes meant to beef up and alter the current main Directive regime.

On top of that, the EU plans for even larger fines - 2% of Global Turnover (Revenue) for DP breaches.

A key point to note is that although these new proposals are currently grabbing the headlines, they are just one further development in a trend that has been picking up pace over the past year or so. In particular, a raft of new laws and developments are already here and in force now.

All of these elements are combining into quite a "perfect storm" of significantly increased risk, higher fines, more aggressive enforcers and less time to get one's house in order. Many companies also do not fully appreciate the scope of change that has already taken place and the need to act.

Does this affect you?
Do you process personal data in Europe? Do you really have the "consent" of the individuals whose data you process? Do you transfer personal data from Europe to the US? Do you use cookies on a website which is aimed at European customers? How about sending marketing emails to Europe – do you do this?

If any of these questions resonate with you, you should note the urgency of acting early in 2012 given this "perfect storm" of developments.

What changes might catch you out?
Firstly, it is much easier for the enforcers to fine you as some of the new powers allow "on the spot" fines without going to court. The UK Information Commissioner’s Office ("ICO") has already started to use these new powers.

In terms of further developments, from 1 March 2011, social media activity as well as what you say/don't say on your corporate website became much more complex, with the regulatory Codes that did not previously apply now biting. Companies need to review their websites and use/exposure on Facebook, Twitter, etc., as well as how they use any data collected via the same.

Laws relating to the use of cookies and customer profile/tracking data under the EU E-Privacy Directive have also recently changed – since 6 May 2011 user consent is required (so some form of opt-in) with regards to their use before they can be used/set, potentially changing the way websites operate and giving all those who conduct e-business in Europe some homework to do.

Additionally, on the issue of what constitutes "consent" there has been important EU Working Party clarification which affects the way many have been operating to date, particularly requiring explicit consent (rather than implied).

So what should you do?
"Privacy by Design" has been the mantra coming out of the EU for a while now. In order to keep enforcers at bay a company should conduct a fresh audit that highlights awareness of the recent changes, how they affect the company and related 2012 privacy by design plans/actions.

The immediate audit action item for companies (whether EU-based or US but doing business in Europe) is to urgently review their current data use as well as current policies and procedures and then take corrective action.

In many cases, next steps will mean appointing/revising data privacy officers/teams and auditing how and where data is used, what consents they have/don't have and importantly what data is being transferred around the world and to where.

This last point is crucial as data transfer is a major area of change. Almost all international companies will have data transferring in a way that needs compliance with EU rules and many have what the EU increasingly regards as outdated approaches involving hundreds of (or more) Model Contracts (MCCs).

The perception of the preferred alternative for group companies, Binding Corporate Rules, is also often outdated and many are unaware of the recent changes making BCRs much less costly and faster. The EU is also now very much seeing BCRs as the preferred approach for the future and there is much discussion around further BCR enhancements and "families of BCRs" proposals.

A key take-away point is that review of companies' international data transfers activities is a must.

Key 2012 Board Agenda
Item In short, businesses, especially US companies, that deal with data in the EU, need to urgently revisit what they are doing, what procedures, policies, standards, documents they are using and whether they are in fact as compliant as they think they are after all, given the new landscape and recent changes. The storm of new laws, new fines and enforcement, with more coming shortly, should quite rightly fast-track this to the top of Board agendas.

For a copy of this publication, click the link in the adjacent "Downloads" section.