GENEVA — Europe’s new rules on data protection affect businesses and consumers around the world — and also the many international organizations that process personal data and must respect the right to privacy.
The centerpiece of the European Union’s new rules, and what makes them relevant for international organizations, is the policy of accountability, experts say. Data handlers must be able to demonstrate compliance. People can ask for everything that is known about them and have it all deleted in keeping with their “right to erasure.”
Most of the focus on the General Data Protection Regulation, or GDPR, has to do with companies that do business with the E.U.’s 508 million population and the Agreement on the European Economic Area countries of Iceland, Liechtenstein and Norway.
Even a behemoth like Facebook was not entirely ready for the May 25 enforcement date. The viral Associated Press photo of CEO Mark Zuckerberg’s notes for his U.S. Senate hearing in April revealed he was instructed not to say that Facebook already does everything required by GDPR.
The E.U.’s biggest trading partners are the United States, China, Switzerland and Russia, but the new rules apply to anyone who collects data on E.U. citizens, regardless of where the data processing occurs.
Penalties are discretionary but can reach up to 4 percent of annual global turnover or 20 million euros — whichever is higher.
“It will not only affect people and companies within the E.U.; the impact of the GDPR will be global,” said E.U. Data Protection Supervisor Giovanni Buttarelli.
“In my view, the biggest policy and legal innovation in the GDPR is the notion of accountability,” he said in a 2017 speech at U.N. Migration, or IOM, in Geneva. “And since the notion of accountability will soon expand outside the E.U., it is of relevance for international organizations. I have already noted in this regard that many international organizations have taken steps, for some of them many years ago, to be accountable in the way they process personal data.”
AP photo of Mark Zuckerberg's notes shows he was prepared for senators to ask about resigning.
— ABC News (@ABC) April 11, 2018
A long time coming
The rules stem from a collision between the capture and commerce of data, already a central feature of the 21st century, and the right to be forgotten, a European concept that has been around for a while.
International human rights law — the United Nations’ Universal Declaration of Human Rights adopted in 1948 and International Covenant on Civil and Political Rights that took effect in 1976 — underpins data protection and privacy rights.
The right to privacy or private life is enshrined in the Universal Declaration of Human Rights’ Article 12; the International Covenant on Civil and Political Rights’ Article 17; the 1953 European Convention of Human Rights’ Article 8; and the 2000 European Charter of Fundamental Rights’ Article 7.
Privacy and data protection are two rights enshrined in the E.U. treaties — the Treaty on the European Union, originally signed at the Dutch city of Maastricht in 1992, and the Treaty on the Functioning of the European Union, or TFEU, originally signed in Rome in 1957 — and in the European Charter of Fundamental Rights’ Article 8, which contains an explicit right to the protection of personal data. The entry into force of the Lisbon Treaty in 2009 gave the Charter of Fundamental Rights the same legal value as the E.U.’s constitutional treaties.
The TFEU’s Article 16 obliges the E.U. to lay down data protection rules for the processing of personal data. The E.U. is unique in providing for such an obligation in its constitution. The Organization for Economic Cooperation and Development, or OECD, began work on privacy and data protection in the early 1970s.
With cooperation from the Council of Europe, OECD created guidelines in 1980 that it viewed as the minimum needed to protect individuals’ privacy and personal data without resorting to more regulation of exports of personal data.
A decade later — and three years before the first web browser made the Internet publicly accessible — the U.N. General Assembly in 1990 agreed to non-binding guidelines calling for the electronic collection of personal data under well defined circumstances, and for U.N. member-nations to enact national laws.
Starting in 1995, the European Data Protection Directive regulated people’s personal data and the free movement of data. That became invalid a day before the GDPR went into effect on May 25.
Then in 2005, the E.U., Council of Europe and OECD began sponsoring a series of workshops on data protection within international organizations.
The same year, an International Conference of Data Protection issued a declaration by officials from nations and international organizations calling on the United Nations to seek an international agreement on data protection and privacy as enforceable human rights.
In 2012, the E.U. adopted a new “accountability principle” that everyone who takes part in data processing should demonstrate they are adequately protecting the data.
The German government demanded stronger international and European rules on data protection after the scandal broke in 2013 that the U.S. National Security Agency collected telephone records on tens of millions of Americans — and monitored phone conversations of 35 world leaders, including German Chancellor Angela Merkel.
A 2014 European Court of Justice ruling in a Spanish case added impetus to stronger standards. The court held that Google was subject to E.U. data protection rules after a Spanish man complained Google’s search engine linked his name to a 1998 announcement that his house was auctioned to cover unpaid social security. Google began allowing E.U. residents to ask to remove linked information about them.
In 2015, the Office of the U.N. High Commissioner for Refugees, or UNHCR, published a policy for protecting the personal data of “persons of concern.”
Though it was internal staff guidance, the policy emphasized that data protection under international law was increasingly important for international organizations. The guidance — for one of the organizations where confidentiality can be a matter of life and death — emphasizes principles such as accuracy, confidentiality and security.
“International organizations, because they are on the front line of the challenges and uncertainty of globalization, should show leadership in improving data protection standards,” the E.U.’s Buttarelli said in a 2017 speech to an IOM workshop on data protection within international organizations.
— EDPS (@EU_EDPS) May 11, 2017
Differences over privacy
Now, under E.U. rules, companies and organizations must be able to demonstrate that someone has consented to having their personal data processed, and the consent must be “freely given” and asked in an “intelligible and easily accessible form, using clear and plain language.” Data hacks or breaches must be reported within 72 hours.
Though many Americans believe their personal information is less secure now than it was a few years ago, and admissions of huge data breaches seem to regularly make the headlines, there is no U.S. equivalent to the E.U. data protection and privacy rules.
One major U.S. law, the Health Insurance Portability and Accountability Act, or HIPAA, only applies to “protected entities” that deal in “protected health information.” That may change as more companies like Facebook and Google contend with the E.U. rules.
Questioned at the Senate hearing, Zuckerberg acknowledged he would not be comfortable sharing the name of the hotel he stayed in the night before, or names of people he messaged that week.
Democratic Senator Richard Durbin of Illinois said the issue came down to privacy: “The limits of your right to privacy. And how much you give away in modern America in the name of, quote, connecting people around the world.”
Zuckerberg replied: “I think everyone should have control over how their information is used.”
There was little talk about privacy outside the United States or Europe, where the issue more often translates into existential questions around safety. This coming October, the 2018 International Conference of Data Protection and Privacy Commissioners will be held at Brussels, the first time in its almost 40-year history that an E.U. institution has been chosen to play host.
As data protection and privacy rules proliferate, however, a growing number of businesses and international organizations may come to reflect more of the European view that people should control their own data and also have a right to “erasure.”
— EDPS (@EU_EDPS) March 20, 2018