By David Taylor, Lovells
The past decade has seen a huge increase in the processing of personal data, both in terms of volume and importance. Whether for the terms and conditions of a social networking website, for a new file implemented by a local government, or for a new data breach, data protection is necessary and ubiquitous.
Often, local subsidiaries believe that creating a file or implementing software to follow up on clients and prospects or to manage employees has nothing to do with data protection. But practices involving the processing of personal data have significant implications if the same entity decides to outsource resources to an affiliate at the other end of the planet.
The main issue with the protection of personal data in a global environment is the lack of an internationally applicable standard.
Even the most harmonized system has inherent disparities. The European Union’s directives on the protection of personal data have ensured a minimum level of harmonization, but their implementation by the 27 respective Member States has led to important disparities.
Compliance with one set of local laws or undertakings might not be sufficient. European legislation prohibits the transfer of personal data to countries which are regarded as affording inadequate levels of data protection unless certain conditions are met. Since the United States are considered to be in that category, the European Commission and the US Department of Commerce (DoC) have set up a “Safe Harbor” scheme whereby US companies can subscribe to a number of data protection obligations through the DoC and obtain certification allowing them to receive data from the EU.
In addition, once they are in good standing under the Safe Harbor scheme, data will only be lawfully transferred to them from the EU if the entity sending the data has complied with its own obligations under the laws of the country in which it is established.
What are the risks? In most European countries, data protection authorities have recently seen their prerogatives extended and their budgets and staff increased. This has resulted in more investigations and a surge of penalties being imposed on major corporations. In many countries, infringement of data protection legislation can be regarded as a criminal offence and lead to administrative penalties. Sanctions have, up to now, remained relatively low. However, the heat seems to be gradually increasing, as evidenced by the forthcoming trial of four Google executives before the Milano (Italy) criminal court charged with defamation and failure to exercise control over personal data.
Clearly, there is a growing legitimacy to the current hype around data protection.
David Taylor is Partner, Intellectual Property, Technology and Media at Lovells. Lovells is one of the largest international legal practices with offices in Europe, Asia and the United States
