Author: Andrew McClelland
In this first of an occasional series of updates, EWW highlights some changes in the international policy field that could impact business selling cross-border. This edition focuses on data protection.
The latter half of 2015 has seen some interesting developments in this area. A core principle of international data protection between the European Union (EU) and the United States (US) has been shaken, Russia has introduced new requirements for businesses processing consumer data and the EU has moved forward on agreeing the next raft of data protection legislation.
The first instance is around safe harbor. Safe harbor is an understanding between the US and EU providing certainty for data controllers in the US who collect and store data of European citizens, or EU-based businesses who use third parties in the US to process this information. Under EU regulations – the Data Protection Directive (DPD) – businesses collecting and processing data on European citizens can only transfer data to other territories who have similar policies as the EU. Safe Harbor was a mechanism which allowed for this transfer of data. However, following certain privacy concerns and issues where US authorities were able to access consumer data, the Court of Justice of the European Union (CJEU) ruled that Safe Harbor no longer provided the legal certainty required.
There is no suggestion at this stage that businesses relying on Safe Harbor agreements will be pursued by data protection authorities. However, it could be worth checking any third party agreements to ensure that risk is transferred appropriately and that partners are taking the necessary steps to ensure that their processes meet the requirements of the DPD or national implementations of the directive. In the case of the UK, this is the Data Protection Act 1998 (Article 25).
On the second point, Russian authorities introduced the data localisation law, which came into force on 1 September 2015. Businesses collecting and processing the personal data of Russian consumers must look to carry out the activity on servers based in that country. Roskomnadzor (eng.rkn.gov.ru/ ), the Russian data protection authority, is the competent authority responsible for implementing the law and its published list of companies that will be inspected in 2015 doesn’t include any international business. However, spokesmen are quoted to suggest that whilst they understand that big business require time to make appropriate changes, Roskomnadzor do have the authority to investigate non-compliance if required. There are a variety of reports as to what has motivated this new approach but businesses trading with Russian consumers are advised to watch for updates closely. For example, ensuring that any new registration requirements are fulfilled.
At an EU level, the long-running process of updating the 1998 Data Protection Directive continues. Including wide-ranging proposed changes to bring data protection requirements in-line with modern technology and consumer activities, the legislation is currently under ‘trilogue’ negotiations between the European Commission, European Parliament and the European Council. Adoption of the new data protection rules is expected around the middle of 2016 with the new regulation possibly coming into force during 2018 (has to be two years from date of adoption). Whilst the details are still being discussed, new levels of fines and notification periods for data breaches are expected. Other areas to look out for include new definitions around what constitutes personal data; how consent relating to data processing activities is gathered; rights around data portability and the rights of a data subject to have their data file deleted (forgotten). The last two points, when combined, could have significant consequences for business customer retention and marketing activities.
When combined with the increasing regularity of cyber-attacks and data breaches, data protection should be at the top of any business’ priority list. Not only is customer data their biggest asset, it could also be their biggest point of failure. The global nature of business now requires a global view on data protection policies and procedures.
This document is provided for general information purposes only and does not constitute legal, investment or other professional advice on any individual matter. Whereas every effort has been made to ensure that the information given in this document is accurate, eCommerce Worldwide, our partners and sponsors accept no liability for any errors, omissions or misleading statements, and no warranty is given or responsibility accepted as to the standing of any individual, firm, company or other organisation mentioned. Publication as well as commercial and non-commercial transmission to a third party is prohibited unless prior permission is obtained from eCommerce Worldwide. The views expressed in this publication do not necessarily reflect the views of eCommerce Worldwide.