UK: Data Protection and Privacy - The New Agenda

The term 'privacy law' in the US tends to translate to 'data protection law' in Europe. Data protection law imposes a set of rules which govern the processing of personal data by commercial organisations. Personal data is any data from which a living individual can be identified, whether from the data itself, or from the data and other information in the possession of the person handling the data.

'Data processing' can involve accessing or manipulating data held on computer in some way. It can arise from something as simple as storing or accessing a computer file containing personal details, or from more sophisticated manipulation such as matching names to other criteria held on computer. It follows that virtually every organisation is involved in processing personal data, and is as a result potentially subject to data protection legislation in those jurisdictions where it is active. Contrary to popular belief this is not limited to the EU - more than 30 different European jurisdictions currently have some form of privacy law already in place. Commonly local law includes a requirement to register with the local data protection authorities.

The law and its enforcement varies significantly throughout Europe with the penalties for non-notification ranging from administrative action to restrictions on activity for limited companies to 5 years in prison for officers of the organisation. For those countries in the EU the law further sets out restrictions on the transfer of personal data outside the European Economic Area (the European Union plus Norway, Iceland, and Liechtenstein - known as the EEA). It provides no data can be transferred unless one of a number of specified conditions apply.

The European Commission has decided that a handful of non-EEA countries (at the time of writing Switzerland, Canada, Hungary, Argentina and almost Guernsey) do offer 'adequate' protection. As the US is currently not regarded as 'safe', this restricts the permitted transfer of data between EU countries and the US. This may change should some of the proposed new US privacy laws pass Congress. In the meantime, however, an alternative approach is required.

One of the options would be the Safe Harbor agreement reached between the EU and US in 2000 which provides a code for US companies to sign up to. Complying with the code, and self-certifying this with the US Department of Commerce, will be deemed to give an adequate level of data protection in relation to data transfers to the US organisation concerned. The European Commission has also published some approved contractual clauses which can be incorporated in agreements between EU and non-EU companies which will ensure that the level of protection is considered adequate. However, few US firms use these methods, and there are often sound commercial reasons for this.

One high profile case which illustrates the issues, and highlights the link with security particularly in the online sector, concerned the Spanish version of the reality TV show Big Brother. In Spain, like in other parts of Europe, thousands of applicants sent their details in to the TV company with the hope of taking part. Some of the personal details of around 1,700 applicants appeared on a fan club website after an attack on the TV company's server.

In Spain, in common with most of Europe, an attack like this offends against data protection legalisation. It was reported that as a result the programme makers might face a fine up to $4m for the breach, together with civil actions from the unlucky contestants whose details appeared on the fan club site. This shows us that whilst Europe has not yet seen mandatory reporting like the legislation being implemented in California, when a breach occurs potentially substantial civil damages could result.

Now is a good time to become familiar with the applicable legislation. Compliance programmes can be established and rolled out across each of the European locations a US company does business in. Enforcement action is likely to increase significantly in the next 12 months within the EU, but particularly in applicant countries who will need to show the EU that they are tough on data protection transgressions and who also need to raise money from fines to fund their own programmes. Businesses that fail to comply may regret their inactivity.