• Changes to EU Data Protection Directive Will Likely Impact U.S.-Based Companies
  • December 12, 2011 | Author: Ieuan Jolly
  • Law Firm: Loeb & Loeb LLP - New York Office
  • Planned changes to the European Union's Data Protection Directive (EU Directive), some of which are directed at non-EU companies, may significantly impact how U.S.-based entities that interact with EU consumers can collect, store and use consumer data.

    In a statement Justice Commissioner Viviane Reding, Vice President of the European Commission, advised that the European Commission plans to reveal its proposal for revising the EU Directive by the end of January 2012. Following a meeting with German Federal Minister for Consumer Protection, Ilse Aigner, in Brussels to discuss strengthening the EU's data protection rules, Reding and Aigner issued a joint statement about the proposed revisions - including provisions explicitly requiring compliance from non-EU companies.

    The revised EU Directive will give consumers more control over their personal data, including requiring explicit user consent before companies can use data and giving consumers the right to delete data, especially data they posted themselves, otherwise known as the "right to be forgotten." The proposed changes also will likely include increased transparency for data processing - providing greater information about when and how data is collected, stored and used, and making it easier for consumers to indicate their privacy preferences.

    In their joint statement, Reding and Aigner indicated that the revised EU Directive will contain provisions requiring non-EU companies to abide by the EU's stricter rules on data collection, or face fines and prosecution. "We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market. This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data are stored in a 'cloud'." In the past, Reding has been critical of the data collection and protection practices of non-EU-based social networking companies.

    The European Parliament and the Council of Ministers must approve any changes to the EU Directive, including any new penalties for violations, that the Commission proposes.