Directive vs. Regulation: The Proposed Changes to the European Privacy Protection Framework

The Regulation was originally created to address two issues that had arisen during the course of the Directive. One, the principles outlined in the Directive needed to be amended and expanded to address advancing technological developments and increasing globalization. Two, the fact that the Directive required individual member states to create their own implementing legislation meant that the Directive created a patch-work of laws that did not provide for equal and adequate protections for data among all the EU member states.

A regulation, unlike a directive, is directly binding upon the EU member states. This means that individual member states do not create their own implementing legislation; the regulation automatically becomes a part of the legal framework of each member state.

The proposed Regulation incorporates the basis principles of the Directive, but contains some changes and additions. One of the most significant changes is the explicit consent provision of the draft Regulation, which has been a source of contention among Members of the European Parliament (MEPs) and U.S. politicians. Under the current version of the Regulation, businesses would need to obtain explicit consent of individuals if they wish to process personal data. Some exceptions to this requirement exist in the Regulation. Under the Directive, however, the standard is that consent must be “unambiguous” and opponents of the draft believe that the weaker language of the Directive should be maintained in this instance.

The proposed Regulation also heightens the protections afforded to individuals by placing more restrictions on data controllers. Personal data can only be processed “if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data.” If data controllers cannot fulfill their purposes without processing personal data, they are now required to only collect personal data that is “adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed.”

Along with the strengthening of individual rights has come the “right to be forgotten”, which gives individuals “the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data.” Individuals may use this right in cases where the data is no longer needed for the original purpose for which it was collected and processed; consent for the processing has been withdrawn; the authorized time for storage has elapsed or the individual is concerned with the processing of the information.

The Regulation’s approach to sensitive information differs greatly from the approach adopted by the U.S. where sensitive information is only protected in limited ways in specific industry sectors. In contrast to the broad prohibition on automated processing of sensitive information imposed by the Regulation, automated processing of sensitive information is usually not covered by U.S. regulations that cover the processing of sensitive information.

Most importantly, the proposed Regulation retains the prohibition of data transfer to nations with inadequate protection for personal data. The proposed Regulation applies to foreign companies that either conduct business in the European Union or offer their services to EU citizens. Data transfers to non-EU countries are permitted when (1) the Commission certifies that the country, territory or processing sector ensures an adequate level of protection; or (2) an appropriate legally binding and appropriate entity establishes appropriate safeguards for data transfer; or (3) specified conditions are met such as consent or necessity due to public interest. The potential issues with data transfer to the United States are significant due largely to the fact that the European Union is the most important trade relation for the U.S. Despite the creation of the Safe Harbor program, the European Union does not consider the United States a nation that provides adequate data protection.

Data transfers from the EU to the U.S. are important to businesses for a myriad of reasons. Companies need to be able to communicate personal data to their supplies, markets, manufacturers and other third-party suppliers. Companies also need to be able to transfer personal data on employees and other company personnel. A potential restriction on data transfer could, therefore, severely restrict the ability of companies to operate in both continents. Although it is unlikely that the European Commission will prohibit all data transfer to the United States, the Regulation gives the Commission the power to prohibit data transfers to certain companies and even specific industries that are determined not to meet the adequacy requirement. Under the terms of the Regulation, EU member states have the power to fine companies that are in violation of the provisions of the Regulation and enjoin them from transferring data.

The proposed Regulation has been met with considerable resistance from U.S. companies and government entities. The provisions of the Regulation have prompted intense lobbying efforts from European and American entities and the Commission has been accused of “watering down” the Regulation in response to the lobbying. The European Commission has, however, denied these allegations, despite admitting to intense U.S. lobbying efforts.

Documents received by various news sources have illustrated the extent to which the Regulation has been a source of contention between the United States and the European Union. The documents also show, however, that the European Commission has been firm, in some regards, in its response to the U.S. despite claims that the Commission is weakening provisions of the Regulation to appease the U.S. government, which has advocated for less stringent requirements and the deletion of provisions which could affect U.S. surveillance programs.

United States surveillance measures have also created significant implications for the provisions of the Regulation. The November 2011 draft Regulation included a provision that would have limited the ability of U.S. intelligence agencies to spy on European Union citizens. The provision was created in response to the U.S. Foreign Intelligence Surveillance Act, which authorized U.S. authorities to listen in on international phone calls and emails. The provision would have nullified any U.S. requests for data on EU citizens from technology and telecom companies, and would have made it a condition for the disclosure of private data to third countries that the authorities in that country have a legal foundation such as authorization from a data protection authority or a mutual legal assistance agreement. This provision was, however, eliminated in January 2012 after intense lobbying efforts on the part of the United States.

News of the U.S. PRISM program, which allows U.S. intelligence agencies to gain access to personal data gathered from large Internet companies, may also have implications for the Regulation. Commissioner Viviane Reding stated that the U.S. data collection scandal illustrates the need for a clear data protection framework and that this framework should be considered a fundamental right. There has been some discussion of readmitting the strict data protection provisions from the 2011 draft Regulation, but as of now it appears that the European Commission will continue on without those provisions. MEP Albrecht stated that the watered down provisions have serious implications for programs such as PRISM and warned that proposed amendments that require less stringent regulation of data sharing, will weaken or limit obligations for data processors and will allow data processors to move data globally without having to inform the DPAs.

Lisa Lansio is a J.D. candidate, ’15, at the NYU School of Law.