EU Privacy Directive
What is a directive?
• A piece of European legislation, passed by
bureaucrats, addressed to member states
• Member states must ensure that directives are
implemented in their legal systems
The EU Privacy Directive
• Passed in 1995
• Operative 10/24/98
• Does not allow transfer of data outside the EU to
countries that lack adequate personal data privacy
safeguards
Applies to “Data Controllers”
• If you operate a Website the collects any personal
information, then you are a data controller
• This includes “cookies”
• Visible collection of data from online users gives rise
to argument that user has given consent
Seven Guiding Principles
• Notice – users should know data is being collected
• Purpose – data should be used only for stated purpose
• Consent – no disclosure without subject’s consent
• Security – data should be kept secure from abuses
• Disclosure – subjects should know is collecting data
• Access – review and correction of data
• Accountability – collectors of data should be accountable
The Safe Harbor
• Benefits
– All 27 EU member states are bound
– Deemed adequate by EU and data flows will continue
– Requirements for prior approval waived
– Claims brought by EU citizens generally heard in the
U.S.
How To Join
• Must certify compliance annually with Dep’t of
Commerce
• Must state compliance in privacy policy
• Can join a self-regulatory privacy program
• Develop own self-regulatory privacy program
What do Safe Harbor Principles Require?
• Notice
– Must notify individuals as to why data is being collected
– Must notify about disclosures to third parties
– Must describe choices for limiting use and disclosure
– Must provide contact information for complaints
Choice and Onward Transfer
• Must give individuals a chance to opt out
• For “sensitive” information, must require users to opt
in
• On transfer, written agreements with 3d parties are
permitted so long as they certify to compliance
Access and Security
• Individuals must be able to access personal info
• Must be able to correct or delete personal info
• Organizations required to take reasonable measures to protect
data
• Must be procedures and contacts to fix any problems
stemming from noncompliance
• Dispute resolution programs (Truste or BBBonline)
Impact
• Relatively few U.S. companies have signed up for the safe harbor
– Although many companies are coming close to it in any event
• EU not enforcing that much – if at all
• Companies that do comply have large European presence and large
data collection activities or are in eye of European regulators for
other reasons
• Sort of like the Venus de Milo – Often discussed, much admired, but
rarely embraced
• All of this could change very fast