Security: Prepared for the EU's New Data Protection Regulation?
As the U.K. prepares to begin enforcing its version of the European Union's E-Privacy Directive later this week, the 27-member nations of the E.U. are considering new draft legislation that would reform and harmonize data protection laws.
Mon, May 21, 2012
CIO — Big changes are coming to data protection laws in the European Union. Are you ready?
On Saturday, the U.K. will begin to enforce the amended Directive on Privacy and Electronic Communicationsbetter known as the E-Privacy Directive-which it passed last year. Meanwhile, all 27 member nations of the economic and political confederation are debating much broader draft legislation, introduced by the European Commission (E.C.) in January, which would reform and harmonize data protection laws across the E.U.
The E-Privacy Directive, which the U.K.'s Information Commissioner will begin to enforce on May 26, requires consent for all non-essential tracking of individuals as they traverse the Web, whether that tracking involves tags, cookies or other tracking technology. In other words, Websites must inform consumers in detail about any tracking that takes place on the site and obtain consent before proceeding with the tracking.
Updating the Data Protection Directive
Like many other European data protection laws, the U.K.'s implementation of the E-Privacy Directive is an outgrowth of the Data Protection Directive, adopted by the E.C. in 1995 and intended to apply a set of common rules and safeguards for personal data throughout the member countries of the E.U. But as a 'directive' rather than a 'regulation,' it was up to the individual member countries to implement specific laws.
In the 17 years since the E.C. adopted the Directive, E.U. member states have adopted a patchwork quilt of data protection laws that vary in both language and the penalties for non-compliance. For example, when it comes to the E-Privacy Directive, some of the member countries adopted opt-in laws, others adopted opt-out laws and still others have considered annual consent procedures.
In effect, organizations operating in Europe have had to deal with a dizzying array of laws governing the holding and processing of personally identifiable information (PII).
Additionally, the Data Protection Directive was drafted in the early days of the public Internet: Hotmail did not yet exist and the public had yet to know what the term "Google search" meant. The directive did not anticipate the changes to computing that would come from software-as-a-service (SaaS) and other forms of cloud computing.
"Currently, we have 27 member states in Europe, and each one of those member states have taken it upon themselves to create their own version of the Data Protection Act" says Jason Currill, CEO of Ospero, a provider of global hosting, infrastructure and platform services.
"Most of them are pre-cloud, based on the Data Protection Directive formulated in 1995. Everything has now changed. Geopolitical barriers have been smashed by the cloud. There are data privacy issues and data sovereignty issues that didn't exist back in 1995," Currill says.