EU Privacy Directive

What is a directive?

• A piece of European legislation, passed by bureaucrats, addressed to member states

• Member states must ensure that directives are implemented in their legal systems

The EU Privacy Directive

• Passed in 1995

• Operative 10/24/98

• Does not allow transfer of data outside the EU to countries that lack adequate personal data privacy safeguards

Applies to “Data Controllers”

• If you operate a Website the collects any personal information, then you are a data controller

• This includes “cookies”

• Visible collection of data from online users gives rise to argument that user has given consent

Seven Guiding Principles

• Notice – users should know data is being collected

• Purpose – data should be used only for stated purpose

• Consent – no disclosure without subject’s consent

• Security – data should be kept secure from abuses

• Disclosure – subjects should know is collecting data

• Access – review and correction of data

• Accountability – collectors of data should be accountable

The Safe Harbor

• Benefits

– All 27 EU member states are bound

– Deemed adequate by EU and data flows will continue

– Requirements for prior approval waived

– Claims brought by EU citizens generally heard in the U.S.

How To Join

• Must certify compliance annually with Dep’t of Commerce

• Must state compliance in privacy policy

• Can join a self-regulatory privacy program

• Develop own self-regulatory privacy program

What do Safe Harbor Principles Require?

• Notice

– Must notify individuals as to why data is being collected

– Must notify about disclosures to third parties

– Must describe choices for limiting use and disclosure

– Must provide contact information for complaints

Choice and Onward Transfer

• Must give individuals a chance to opt out

• For “sensitive” information, must require users to opt in

• On transfer, written agreements with 3d parties are permitted so long as they certify to compliance

Access and Security

• Individuals must be able to access personal info

• Must be able to correct or delete personal info

• Organizations required to take reasonable measures to protect data

• Must be procedures and contacts to fix any problems stemming from noncompliance

• Dispute resolution programs (Truste or BBBonline)

Impact

• Relatively few U.S. companies have signed up for the safe harbor

– Although many companies are coming close to it in any event

• EU not enforcing that much – if at all

• Companies that do comply have large European presence and large data collection activities or are in eye of European regulators for other reasons

• Sort of like the Venus de Milo – Often discussed, much admired, but rarely embraced

• All of this could change very fast