New data protection rules for privacy impact organizations

BRUSSELS (AN) — Europe's new rules on data protection affect businesses and consumers around the world — and are 'of relevance' to the many international organizations that process personal data and must respect the right to privacy.

The centerpiece of the European Union's new rules, and what makes them relevant for international organizations, is the policy of accountability, experts say. Data handlers must be able to demonstrate compliance. People can ask for everything that is known about them and have it all deleted in keeping with their "right to erasure."

Most of the focus on the General Data Protection Regulation, or GDPR, has to do with companies that do business with the E.U.'s 508 million population and the Agreement on the European Economic Area countries of Iceland, Liechtenstein and Norway.

But the GDPR also requires data controllers to give information about their dealings with international organizations, and to offer access rights to data subjects whose data is intended to be transferred to international organizations. That means data controllers must inform the data subjects beforehand about any intention to transfer some of their personal data to international organizations.

Even a behemoth like Facebook was not entirely ready for the May 25 enforcement date. The viral Associated Press photo of CEO Mark Zuckerberg's notes for his U.S. Senate hearing in April revealed he was instructed not to say that Facebook already does everything required by GDPR.

The E.U.'s biggest trading partners are the United States, China, Switzerland and Russia, but the new rules apply to anyone who collects data on E.U. citizens, regardless of where the data processing occurs.

Penalties are discretionary, but can reach up to 4% of annual global turnover or 20 million euros — whichever is higher.

"It will not only affect people and companies within the E.U.; the impact of the GDPR will be global," said E.U. Data Protection Supervisor Giovanni Buttarelli.

"In my view, the biggest policy and legal innovation in the GDPR is the notion of accountability," Buttarelli said in a 2017 speech at U.N. Migration, or IOM, in Geneva.

"And since the notion of accountability will soon expand outside the E.U., it is of relevance for international organizations," he said. "I have already noted in this regard that many international organizations have taken steps, for some of them many years ago, to be accountable in the way they process personal data."

A long time coming

The rules stem from a collision between the capture and commerce of data, already a central feature of the 21st century, and the right to be forgotten, a European concept that has been around for a while.

International human rights law — the United Nations' Universal Declaration of Human Rights adopted in 1948 and International Covenant on Civil and Political Rights that took effect in 1976 — underpins data protection and privacy rights.

The right to privacy or private life is enshrined in the Universal Declaration of Human Rights' Article 12; the International Covenant on Civil and Political Rights' Article 17; the 1953 European Convention of Human Rights' Article 8; and the 2000 European Charter of Fundamental Rights' Article 7.

Privacy and data protection are two rights enshrined in the E.U. treaties — the Treaty on the European Union, originally signed at the Dutch city of Maastricht in 1992, and the Treaty on the Functioning of the European Union, or TFEU, originally signed in Rome in 1957 — and in the European Charter of Fundamental Rights' Article 8, which contains an explicit right to the protection of personal data. The entry into force of the Lisbon Treaty in 2009 gave the Charter of Fundamental Rights the same legal value as the E.U.'s constitutional treaties.

The TFEU's Article 16 obliges the E.U. to lay down data protection rules for the processing of personal data. The E.U. is unique in providing for such an obligation in its constitution. The Organization for Economic Cooperation and Development, or OECD, began work on privacy and data protection in the early 1970s.

With cooperation from the Council of Europe, OECD created guidelines in 1980 that it viewed as the minimum needed to protect individuals' privacy and personal data without resorting to more regulation of exports of personal data.

A decade later — and three years before the first web browser made the internet publicly accessible — the U.N. General Assembly in 1990 agreed to non-binding guidelines calling for the electronic collection of personal data under well-defined circumstances, and for U.N. member nations to enact national laws.

Starting in 1995, the European Data Protection Directive regulated people's personal data and the free movement of data. That became invalid a day before the GDPR went into effect this year on May 25.

In 2005, the E.U., Council of Europe and OECD began sponsoring a series of workshops on data protection within international organizations.

The same year, an International Conference of Data Protection issued a declaration by officials from nations and international organizations calling on the United Nations to seek an international agreement on data protection and privacy as enforceable human rights.

In 2012, the E.U. adopted a new "accountability principle" that everyone who takes part in data processing should demonstrate they're adequately protecting the data.

The German government demanded stronger international and European rules on data protection after the scandal broke in 2013 that the U.S. National Security Agency had collected telephone records on tens of millions of Americans — and monitored phone conversations of 35 world leaders, including German Chancellor Angela Merkel.

A 2014 European Court of Justice ruling in a Spanish case added impetus for stronger standards. The court held Google was subject to E.U. data protection rules after a Spanish man complained Google’s search engine linked his name to a 1998 announcement his house was auctioned to cover unpaid social security. Google began allowing E.U. residents to ask to remove linked information about them.

In 2015, the Office of the U.N. High Commissioner for Refugees, or UNHCR, published a policy for protecting the personal data of "persons of concern."

Though it was internal staff guidance, the policy emphasized data protection under international law was increasingly important for international organizations. The guidance — for one of the organizations where confidentiality can be a matter of life and death — details principles such as accuracy, confidentiality and security.

"International organizations, because they are on the front line of the challenges and uncertainty of globalization, should show leadership in improving data protection standards," the E.U.'s Buttarelli said.

Differences over privacy

Under E.U. rules, companies and organizations now have to demonstrate someone consented to having their personal data processed, and the consent must be “freely given” and asked in an “intelligible and easily accessible form, using clear and plain language.” Data hacks or breaches must be reported within 72 hours.

Though many Americans believe their personal information is less secure now than it was a few years ago, and admissions of huge data breaches regularly make headlines, there is no U.S. equivalent to the E.U. data protection and privacy rules.

One major U.S. law, the Health Insurance Portability and Accountability Act, or HIPAA, applies to "protected entities" for "protected health information." That may change as more companies like Facebook and Google contend with E.U. rules.

At the Senate hearing, Zuckerberg acknowledged he would be uncomfortable sharing the name of the hotel he was staying in or people he messaged that week.

Democratic Senator Richard Durbin of Illinois said the issue came down to privacy: "The limits of your right to privacy. And how much you give away in modern America in the name of, quote, connecting people around the world.”

Zuckerberg replied: "I think everyone should have control over how their information is used."

There was little talk about privacy elsewhere in the world where the issue more often translates into questions around safety. In October, the International Conference of Data Protection and Privacy Commissioners will be held in Brussels, the first time in almost 40 years that an E.U. institution is playing host.

As data protection and privacy rules proliferate, a growing number of businesses and international organizations are considering the European view that people should control their own data and also have a right to "erasure."