May 21, 2012, 9:01 PM — Big changes are coming to data protection laws in the European Union. Are you ready?
On Saturday, the U.K. will begin to enforce the amended Directive on Privacy and Electronic Communications--better known as the E-Privacy Directive-which it passed last year. Meanwhile, all 27 member nations of the economic and political confederation are debating much broader draft legislation, introduced by the European Commission (E.C.) in January, which would reform and harmonize data protection laws across the E.U.
The E-Privacy Directive, which the U.K.'s Information Commissioner will begin to enforce on May 26, requires consent for all non-essential tracking of individuals as they traverse the Web, whether that tracking involves tags, cookies or other tracking technology. In other words, Websites must inform consumers in detail about any tracking that takes place on the site and obtain consent before proceeding with the tracking.
Updating the Data Protection Directive
Like many other European data protection laws, the U.K.'s implementation of the E-Privacy Directive is an outgrowth of the Data Protection Directive, adopted by the E.C. in 1995 and intended to apply a set of common rules and safeguards for personal data throughout the member countries of the E.U. But as a 'directive' rather than a 'regulation,' it was up to the individual member countries to implement specific laws.
In the 17 years since the E.C. adopted the Directive, E.U. member states have adopted a patchwork quilt of data protection laws that vary in both language and the penalties for non-compliance. For example, when it comes to the E-Privacy Directive, some of the member countries adopted opt-in laws, others adopted opt-out laws and still others have considered annual consent procedures.
In effect, organizations operating in Europe have had to deal with a dizzying array of laws governing the holding and processing of personally identifiable information (PII).
Additionally, the Data Protection Directive was drafted in the early days of the public Internet: Hotmail did not yet exist and the public had yet to know what the term "Google search" meant. The directive did not anticipate the changes to computing that would come from software-as-a-service (SaaS) and other forms of cloud computing.
"Currently, we have 27 member states in Europe, and each one of those member states have taken it upon themselves to create their own version of the Data Protection Act" says Jason Currill, CEO of Ospero, a provider of global hosting, infrastructure and platform services.