03 Jul 2019

New European Privacy Laws

This is not new. In 1890, Samuel Warren and Louis Brandeis published their seminal work: The Right to Privacy. Here, for the first time, they discussed codifying privacy law in order to protect the individual and secure “the right to be let alone.”

In the paper it states: “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.”

For Europeans, the right to privacy didn’t appear on the legislative agenda until 1948, when the Universal Declaration of Human Rights was adopted. After the horrors of the second World War, the Declaration aimed to codify human rights in order to prevent such atrocities from happening again. The Right to Privacy was included as the 12th fundamental right of all people.

In the 1980s the emergence of the personal computer introduced the concept of personal data, and subsequently necessitated a re-examination of privacy laws. The OECD issued guidelines on data protection; the precursor to the General Data Protection Regulations which came into effect on May 25th, 2018.

From the two thousands onward, the internet began playing an increasingly important role in the lives of many Europeans; often forcing us to re-think our approach to privacy laws.

Let’s now take a look new European privacy laws in more detail, starting in 2002 and finally culminating with GDPR.

Why are new privacy laws needed?

Even 130 years later, Brandeis and Warren are more relevant than ever and they would no doubt be appalled by the state of privacy in the 21st century.

The internet has opened new vistas of opportunity for both malign and malicious actors. The crucial concept of data processing was not thought-through and we are left with a system that doesn’t work.

More specifically, individuals need to forfeit their personal information in order to participate in a modern, digital society. Whenever you sign up for an online account, you are entering personally identifiable information and simply have to hope that the corporation accessing your data does not suffer a breach.

From a business perspective this approach is even worse. Corporations are forced to collect, manage, update and protect their customers’ data, even if they cannot afford to adequately safeguard. information in often, poorly guarded data silos which are an attractive target to hackers.

In 2013, the European Commission adopted the Regulation 611/2013, which tried to implement stricter prevention and reporting measures for businesses which suffer a data breach. It wasn’t until GDPR came into effect however, that corporations were forced to report security incidents to regulators and customers.

Nevertheless, data is increasingly lost as a result of data breaches, with 6,500 occuring in 2018 alone. In 2019, over 4 billion records have already been exposed, showing how broken the current system is, and how our privacy is being violated.

What kind of legislation can the EU even pass?

Clearly we are in dire need of strong privacy laws, so we should clarify if the EU even has the mandate to pass laws which are binding for its 28 member states.

As an international government body, the EU can pass Directives or Regulations. The key difference between the two, regards the amount of freedom that the countries have. A Directive typically states a number of desired outcomes but allows the states to define a path on which to reach these objectives.

The 5th AML Money Laundering Directive is an instructive example. 5AMLD articulates the need for a sophisticated, international strategy to fight money laundering and terrorism financing. The Directive outlines a number of desired outcomes, but leaves it up to the states on how to reach them.

Regulations on the other hand do not provide any freedom. They are typically directly applicable and overrule existing, national legislation. As a result, Directives have proven more popular.

What are the key Europrean Privacy Laws of the last 20 years?

The European Union has passed 5 crucial privacy laws in the last 20 years. It starts in 2002, with the first meaningful piece of legislation tackling electronic communication and culminates in 2016 with the passing of GDPR.

Let’s look at these laws in more detail now:

  • 2002, Directive on Privacy and Electronic Communication: Also known as the ePrivacy Directive, this EU law tried to tackle many new challenges that accompanied the rise of the internet. Specifically, it focused on issues like security, data retention, and the free movement of data. It also introduced an opt-in requirement for email addresses within the European Union. Unsolicited marketing emails were consequently prohibited, although that hasn’t stopped corporations invading our privacy with them anyway. Additionally, the Directive articulates the obligation for businesses to inform visitors about cookies, which are stored in the browser. Overall, this was a watershed law that introduced many provisions which are still in use today.
  • 2006, Directive on the retention of data: Repealed in 2014, this EU law aimed to compel telecommunications companies to retain customer data for 6 to 24 months. Under this Directive, law enforcement agencies would have time to access IP addresses, phone calls and text messages in order to identify criminal behaviour. Of course this data was not freely accessible but had to be requested and granted by a court. In April 2014, Digital Rights Ireland sought to repeal the Directive and brought a case to the Court of Justice of the European Union. The case was upheld and the Directive was repealed.
  • 2009, Update to the Evolution of the EU Electronic Communications Regulations: In 2009, the Directive that had been passed seven years previously was amended in order to better protect the privacy of individuals. It reflected recent technological advances, such as instant messaging and voice over IP’s and tried to include them within the European electronic privacy framework.
  • 2013, Directive on the measures applicable to the notifications of personal data breaches: This EU privacy law aimed to provide clear guidelines for businesses that had suffered a data breach. This is when the sensitive information — usually customer data — is accessed by an unauthorized individual. Thousands of data breaches happen every year and these have to be reported to local authorities. With the passing of GDPR, the obligation to report data breaches was further heightened.

The General Data Protection Regulation (GDPR)

The final EU privacy law we need to mention here, came into effect on the 25th of May 2018 and is known as GDPR.

This is the most wide-reaching privacy law passed by the European Union and its effects have reverberated across the world wide web. We’ve put together a detailed GDPR checklist for you, but let’s look at the impact it had on privacy.

Passed in 2016, GDPR came into effect two years later — something you may have noticed, due to every online service sending you an email about their updated terms of service.

Twitter’s GDPR Privacy Update

The aim of the law is to set out clear guidelines for how user data can be handled, and define punitive measures for corporations that fail to comply. The penalties laid out have received a lot of attention, as they include a maximum fine of 20 million Euros or 4% of the company’s global revenue. Both Google and Facebook already face penalties amounting to $57 million and $1.6billion respectively, so GDPR is not to be taken lightly.

For business owners GDPR often means a reconfiguration of how customer data is processed and accessed. Start by adding double-opt in for your registration process and giving users the ability to review their data.

Also make sure to inform visitors about any cookies you may be using and make it easy to find your privacy information. For a comprehensive action plan, make sure to download our GDPR checklist.

Conclusion — New European Privacy Laws

The timeline provided above shows us that GDPR did not happen in a vacuum. It was not a stand-alone event that brings privacy law to a conclusion.

Instead, it’s the next iteration of a long line of legislation designed to restore some semblance of privacy to individuals. With that in mind, the next EU privacy laws are already being drawn up, and we can expect major updates to the ePrivacy Regulation which has been passed over the last 20 years.

The compliance burden will continue to grow for businesses, which is one of the key reasons why many are choosing to work with experts in 2019. Book a demo below.

Any Questions?

Our team is always ready to help you and your business.
Get in touch

Latest Articles

We should have some subheading here, it’s good for SEO as well
Cayman Islands KYC Essentials: KYC-Chain’s Multi Scope
Summary In the fast-evolving landscape of financial regulations, the Cayman Islands remain a pivotal jurisdiction for global investment and financial…
24 Jun 2024
Regulation Focus Series | Article 11: Germany and BaFin
As Europe's largest economy and a major global financial powerhouse, Germany is unsurprisingly a major target for illicit financial activity.…
31 Jan 2024
What does the EU's MiCA Regulation mean for Crypto Companies?
The EU recently introduced a new regulation called the Markets in Crypto-Assets (MiCA) in order to regulate and supervise the…
23 Jan 2024