European data protection law proposals revealed

European data protection law proposals revealed

Summary: A draft of Europe's upcoming data protection laws is revealed for the first time.

TOPICS: Legal, Microsoft, EU

Draft legislation, which will pave the way for the new European Data Protection Directive, is set to be announced in January.

After two years of researching the reach and breadth of the USA PATRIOT Act, particularly how the U.S. government can access European data, the draft legislation will include measures to counteract how U.S. law enforcement acquires data from Europe covertly.

Gordon Frazer, managing director of Microsoft UK, told ZDNet nearly six months ago that "no company" could guarantee that European data will not leave Europe under any circumstances, even under a request by the Patriot Act.

Frazer's admission validated over a year's worth of research.

The European Parliament was furious at Frazer's admission. This outrage led to members of the European Parliament (MEPs) to ask questions of the European Commission, Europe's executive body, in a concerned bid to clarify the current data protection laws.

Viviane Reding, vice-president of the European Commission for Justice, Fundamental Rights and Citizenship, announced last month that the Commission would seek to update the data protection laws. Little detail was given besides a proposed date, where the law would be unveiled in January 2012.

In an exclusive, ZDNet can now reveal that the current European Data Protection Directive (95/46/EC) will be repealed, and the draft legislation once ratified will replace current data protection laws across the 27 member states.

(Source: Wikimedia Commons, CC)

Two drafts of legal instruments, prepared by the European Commission's Directorate-General for Justice, Francoise Le Bail, entered inter-service consultation. This process gives other Commission executives the opportunity to comment and amend the drafts before they are formally released.

The EU legislative process can take two or three years before the draft legislation becomes law. The current directive was ratified in 1995, but took an additional three years before the 27 member states of the European Union enacted the law into their own legal system.

European sources say that Reding will announce the final 116-page version of the drafts at the World Economic Forum in January 2012.

There are two draft documents:

The General Data Protection Regulation will allow the free-flow of data and the protection of individuals. The Police and Criminal Justice Data Protection Directive gives rights to those who work in law enforcement, for the purposes of prevention, investigation, detection or prosecution of criminal offenses.

A harsh field of measures lies ahead for businesses working within the confines of Europe. Companies, even if they are headquartered in the U.S. or another third-country to Europe, could face extreme financial repercussions if they are found to break the new legislation.

The regulation will become applicable in all 27 member states immediately. The directive will need to be transposed into member states' law through local parliaments.

Highlighted in the draft legislation, we find:

  • As the regulation would be top-down from Brussels, the home of the European legislative bodies, it will provide near-complete harmonization of all future data protection laws.
  • The regulation again would force companies with operations in multiple European member states subject to the jurisdiction of one state's legal system, including its data protection laws. The designated headquarters of their European office determines this.
  • Data processors, such as Microsoft and Google, who merely store and manage data through its services, will be under many of the same obligations as data controllers, such as businesses and universities that own data.
  • Both data controllers and data processors will be made to sign an agreement allocating equal responsibility for data between them. Should an agreement not be made, both parties would be jointly responsible for all processing, and any data loss or privacy breaches.
  • Companies outside Europe -- such as the United States -- will continue to be subject to European law, if they have a European-based office, or European customers.
  • Opt-in consent will be made obligatory. This relates mostly to data processing for marketing, but this will require explicit consent to the data owner before companies can perform such actions.
  • The "right to be forgotten" will be sanctioned by Brussels. Though this has come up against criticism from the UK's data protection authority, measures will be put in place to allow European citizens' to have their data deleted by private companies.
  • If a company suffers a data loss or breach, both the data protection authority and the individuals must be informed within 24 hours of discovering the breach.
  • For public sector companies, or any company with more than 250 employees, internal data protection officers would be mandatory.
  • The Article 29 Working Party will be renamed to the "European Data Protection Board", which would be the executive body of all member states' data protection authorities.
  • The Commission will be granted the power to issue interpreting provisions of the regulation, allowing member states to delegate high-level cases directly to the European powerhouse.

One more thing:

  • The reforms will effectively replace EU/U.S. Safe Harbor regulations, and instead companies will be issued "adequacy" statements, allowing European companies to transfer data to their non-European counterparts.

This would make it illegal for the U.S. government, for example, to invoke the Patriot Act on a company like Microsoft or Google, or any other cloud-based or data processing company, in efforts acquire data held in the UK. The member states' data protection agency with authority over the company's European headquarters would have to agree to the data transfer.

If any of these rules are broken, member states' data protection authorities will be able to impose sanctions, which can range up to a maximum of 5 percent of a company's annual worldwide turnover.

As of June this year, Microsoft could be fined up to around $1.1 billion per incident, if it were found to be in breach of the draft data protection legislation. Google could equally be fined $430 million per breach.

Some MEPs are calling for immediate changes to the law.

Dutch MEP and vice-chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee, Sophie in 't Veld, argues that two or three years for the draft legislation to be ratified is too long.

in 't Veld, along with a number of other MEPs, are seeking emergency legislation to prevent the U.S. government accessing European data through the Patriot Act 'loophole'.


Topics: Legal, Microsoft, EU

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: European data protection law proposals revealed

    "Companies outside Europe ??? such as the United States ??? will continue to be subject to European law, if they have a European-based office, or European customers."

    OK. Here's a question. US based blog. Blog is centered around discussions of events in US society. Requires registration to post comments. Someone from the EU registers and posts comment and they later say "remove all my comments". We don't. Are we now in violation of EU law?

    What if we all people to post anonymously. Can someone from the EU later come back and claim EU law requires us to remove their comment based on the IP address they used at the time?
    • RE: European data protection law proposals revealed


      If they are posting TRULY anonymously, with no information on where the post was made from kept? No, under these rules you would not have to remove those comments.
      • RE: European data protection law proposals revealed


        Wordpress blogs records the IP address of all posts. This really help slow down SPAM and trolls. Anonymous in this case means they didn't give a handle or email address. And what about my first question?

        And remember this is a blog hosted in the US and paid for by private citizens in the US with the audience intended to be people in the US and maybe Canada. Are we supposed to stop people in the EU from reading this blog and commenting on it?
  • RE: European data protection law proposals revealed

    That 'right to be forgotten' would be handy with places like Encyclopedia Dramatica, who smear people's names on a regular basis and really need to be shut down for slander, libel, etc.
  • RE: European data protection law proposals revealed

    I find it comical how EU countries become horrified if the US is seen to impose itself overseas (there is a huge movement to block the US from extraditing a hacker from the UK) but here the EU is trying to create laws for the US and impose those laws on US citizens.<br><br>I am sorry but the US constitution does not give EU authority over the US. Never did, never will (and that is a good thing because the EU courts seem to be running amuck).<br><br>The EU can demand all they want, that does not change any US law. <br><br>If the Patriot Act can't override EU laws in the EU, how then can EU expect EU laws to override the Patriot Act on US soil?<br><br>If I give data to some French based company and my data is stored in France, because I am from the US is the French company bound by the US laws that govern how my data is to be protected? Answer: No, if the French company does not have a US data center the French company is not bound by US laws.<br><br>If a EU person gives a US company data and that data is stored in the US, because the person is from the EU how in the world does that change US laws? Answer: It doesn't.<br><br>The EU may want to pretend that they write the worlds laws, but they do not.
    • RE: European data protection law proposals revealed


      I agree with your argument, except that the US Patriot Act is doing just that to the rest of the world. We have no more signed-up to the US constitution than you have to the Maastricht treaty, so why should we have to be answerable to an American court.
  • Data protection

    I have no problem with reciprocal agreements between any country or countries so long as there is parity. E.g. If a hacker commits a crime in the US they should not be able to hide behind EU citizenship etc, however there is a problem when something is illegal in one area, but not in the other, as then there is a clear legal problem because the defendant has comitted no crime in their own country?

    My biggest concern about the new EU law is that a large organisation such as a bank can now export personal data to countries such as India and then promise it will be safe, however as there are litteraly no DP laws in may of those countries, its a pretty hollow promise, and one that is virtually impossible to police from the US or EU.