ANALYSIS: Europe gets tougher with data protection laws

28 October 2015 | Alan Burkitt-Gray


Telecoms operators, cloud providers and service companies such as Facebook and Google will face huge fines in a couple of years if they breach toughened new European data privacy laws.

dataprotectionimage340pxAnd the chance of breaking even existing laws has risen substantially thanks to a court ruling that outlaws a handy get-out clause that has applied for 15 years.

The Court of Justice of the European Union overturned an agreement that allows companies to transfer their data to the US - a deal known as “safe harbour” - so long as companies agreed to abide by European standards. Following the ruling, European data protection regulators will be able to stop companies moving personal data to the US.

Facing these same companies is the EU’s planned tightening up of all European data protection laws - already some of the toughest in existence. 

The new laws, likely to be adopted in 2016 and to come into force two years later, will set heavy penalties for privacy breaches. The European Parliament is talking about fines of up to €100 million or 5% of global turnover, though the Council of Ministers is suggesting up to €2 million or 2% of global turnover.

The CJEU ruling in early October followed a case brought by Maximillian Schrems, an Austrian law graduate who argued that the Irish data protection authority was wrong to decide that it could not take action against Facebook for transferring personal data to the US under the safe harbour scheme.

In the words of international law firm Squire Patton Boggs, the court decided that the safe harbour programme threatens EU citizens’ “fundamental right to privacy” because if EU personal data is stored by US companies then those companies can be forced to divulge it to US authorities. 

“At the moment safe harbour is invalid,” said European Commissioner Vĕra Jouróva at a press conference in Brussels hours after the court ruling. She said the ruling affected 4,400 companies that said they were voluntarily complying with European law even though they transferred personal data out of European jurisdiction to the US.

“Safe harbour was a special arrangement. We want to have a new special arrangement because of the volume of data flowing across the Atlantic. At the moment safe harbour is invalid, but there are clear rules for the transfer of data. There are other mechanisms that will have to be applied.”

dataprotectionquote

At the centre of EU concerns is that data lodged in US data centres can be seen by the National Security Agency and other US intelligence agencies without European authorisation. 

“We don’t have any jurisdiction on American soil and we have to agree the national security points,” said Jouróva, one of the commissioners at the head of the EU’s Brussels-based executive arm.

Among the simplest answers may be to use European-based operators. Keeping data within European boundaries or even the boundaries of one particular state is just another of the service criteria that some customers need, suggests Matthew Finnie, the chief technology officer of Interoute - alongside other criteria such as applying different taxes, languages or currencies in different countries.  

“I can understand at a technology level the frustration of ending safe harbour. The technology world lives in a world of eliminating inefficiencies,” said Finnie. But already some clients have insisted that some data should be kept within the boundaries of the EU’s 28 nations, or even within a particular country, for a number of reasons.

“We had one client that for tax reasons wanted some data kept out of certain jurisdictions,” said Finnie. 

Once the new European laws are in action, companies may be subject to checks by privacy commissioners. “Privacy audits will be like tax audits, and you won’t know when they’re coming,” said Ann LaFrance, partner at Squire Patton Boggs, at a recent conference. 

European first vice president Frans Timmermans said about the court ruling: “We have been working with the US to make data protection safer. In the meantime transfers can continue. Transatlantic data flows are important for our economy. We will come forward with clear guidance in the light of the ruling.”

But there are three important needs, said Jouróva: to ensure greater data protection for EU citizens, to ensure data flows can continue, and to develop a coordinated response by all 28 national data protection authorities across the EU. “The Commission remains fully committed to data transfer across the Atlantic,” she said.