EU Data Protection: When Your Organization's Lifeblood becomes Poisonous

Damian Hallmark

A breaking development in the EU is creating ripples that have the potential to create a global tsunami. A European Court of Justice opinion has implications that highlight the pending impact for any global organization processing EU personal information outside of the EU.

A privacy campaigner has scored a legal victory that could bolster his attempts to prevent Facebook from being able to pass EU citizens' data to the US authorities in what the campaigner suggests could have far-reaching consequences. The opinion issued by the European Court of Justice says that current data-sharing rules between the 28-nation bloc and the US are "invalid." This decision could affect other tech firms' abilities to send Europeans' information to US data centres. 

Given that this judgement is not yet finalized, it is worth noting that the EU's high courts have tended to follow the opinion of its legal adviser. So while the 15 judges involved have yet to issue a conclusive ruling of their own on the matter, this does firmly shine the spotlight on the changes, which are expected to be adopted not long after the new year. This ruling affects both private and public sectors equally, with the regulation stipulating that contractual agreements be in place between data controllers and processors that ensure joint responsibility for liabilities and sanctions.

Impact on Data Controllers

For the data controller, the regulations introduce binding contracts with data processors, underpinning the policies and technology required for the appropriate processing of personal data. The changes for data processors are most visible. Under the existing data directive, liabilities in respect to data breach notification and failure to protect personal data lie solely with the data controller. New regulation makes this a joint liability with private-sector sanctions expected to be in the range of two to four percent of global profit. Data processors must now employ electronic discovery technology that has fidelity with data controllers within the EU.

With a focus on the information market, data portability, and accessibility, the new regulations bring much needed change to the way personal data is processed and protected, both within the union and wherever the data is processed. This in turn has implications for the Freedom of Information Act and subject-access requests as part of an over-reaching drive to bring harmony to a struggling Data Protection Directive. After all, the directive could not have foreseen the explosions in the internet, mobile and cloud data, and the globalization of organizations. The ability for organizations to forensically identify and locate key information through electronic discovery processes ensures that requests under either the Freedom of Information Act or the Subject Access Regulation can be completed efficiently and economically.

In 2016 when the regulations come in to force, companies that provide cloud services within the EU and rely on data centers in the US will be contractually obliged to comply in accordance with the proposed changes in the European Union. The results of this opinion present major issues for companies such as Apple, Facebook, Google, Microsoft, and Amazon. Each of these organizations operates data centers in Europe, and each is looking at fundamentally restructure their data storage architecture. As time passes, this new data protection directive may even force changes in corporate structures.

Damian Hallmark is a Solutions Consultant working in the U.K. office of Guidance Software.

Questions? Comments? We welcome your thoughts in the section below.