With a number of recent high-profile court rulings and a major new regulation in the works, data privacy has become a cause célèbre within the European Union (EU). The size and connectivity of the European market means that shifts in its regulatory framework ripple with major consequences for global business.
The EU’s latest attempts to legislate in this area are a consequence of shortcomings in the design and implementation of the existing system of data collection, retention and safeguarding. While the existing system was designed to protect the private sphere from state intrusion, it ultimately created a system that punishes business.
After World War II, the protection of individual rights became a central pillar of the individual-state relationship in Western Europe. The creation of the European Convention on Human Rights in 1950 and the codification of rights in many national constitutions were part of a broader institutionalization of rights protection across the continent. Europeans wanted to prevent a repetition of the abuses of their recent past and demarcate their new liberal democratic systems from the authoritarian and communist systems to their east.
Over the past decades, the European economies have increasingly relied on computerized information for a variety of financial and policy functions. The volume of consumer data gathered by private and public sectors has grown exponentially.
There remains a perceived tension between Europe’s commitments to the individual’s right to privacy and the growth of the digital economy, which is crucial for Europe’s future progress. The EU’s initial response to these concerns was issued in its Directive 95/46/EC, otherwise known as the 1995 Data Protection Directive.
The legislation was framed dually as a move to protect individual privacy against government and corporate intrusion, whilst at the same time aiming to improve data flows across Europe.
Conversely, the directive’s implementation allowed for an erosion of privacy, particularly financial. States turned the directive into a vehicle for their own purposes through exceptions and loopholes that relaxed their data use requirements relative to the private sector. Measures intended for the protection of privacy morphed into a lever against the private sector in tax compliance and foreign investment.
Impact of enforcement and harmonization
The 1995 directive gave the EU institutions considerable power over the Member States. Every member state was required to create a Data Protection Authority (DPA) to monitor compliance with data protection legislation. The DPAs enjoy extended access to a large part of business’ information, handle claims from customers or agencies, and initiate legal action against non-compliance.
While this may increase consumer feelings of security relative to businesses, it comes at the cost of privacy relative to the government. Financial institutions face a heavy set of regulations to fully comply with the directive. International monetary transfers from the EU are covered under the directive in Article 25 since such transfers concern EU citizens’ data.
These transfers are specially scrutinized because of privacy concerns in other countries. However, many member states, worried about the economic effects of creating obstacles for foreign companies, allow the transfers to occur even when they suspect a violation. While some transfers require only the consent of the individual whose data is being transferred, others must be part of approved standard contractual clauses or require DPA approval of the transaction.
There are often tax consequences for individuals and businesses transferring money electronically, making many reluctant to seek DPA approval. Clients seek credible discretion from financial institutions, but the directive makes this virtually impossible to offer.
The Commission is less willing than the member states to accept this lack of enforcement. Article 26(2) of the directive contains a notification requirement that requires institutions to inform their national governments of transfers. In the First Commission Report on the Implementation of the Directive, it found that the number of transfers reported through the notification requirement “is derisory by comparison with what might reasonably be expected.”1 Equally, the Commission has stressed its desire to harmonize implementing laws across the member states to ensure an equal system of protection, hence the proposed change from the 1995 directive to the proposed uniform and directly applicable regulation. Additional efforts by the Commission to extend compliance are likely to put the DPAs under pressure to increase enforcement of the directive, placing a costly burden on financial institutions.
If institutions are making transfers to a non-EU country that is determined to have inadequate privacy protections, the member state involved must stop and wait for the Commission to negotiate a solution before allowing the transfers to continue. Financial institutions generally qualify for greater scrutiny due to the “nature of their data.” To assess the transfer, the Commission, the member states’ governments, and the DPAs must all have access to the information being transferred.
The Commission can forbid data transfers to third countries if data protection concerns are found. The requirements for finding a third country’s regulation deficient are both broad and vague. Once the EU finds the country lacking the requirements, it is up to the member states to ensure the prevention of the transfers. As this severely hinders business in international markets, the EU established rules for the member states to be able to give permission for the transfers. This gives the member state government direct access to the transfer, allowing them to restrict financial transfers they do not favor (e.g. legal tax structuring).
Even transfers within the EU provide large amounts of information to government authorities. Each member state must, under Article 3 of the directive, install an authority that watches over the implementation of the data laws and who must be informed when a processing operation takes place. The information provided is determined individually by each member state and any time non-compliance is discovered the authority can choose to ban that processing procedure. The information must always be ready on demand as information can be requested by member states or the Commission at any time. To address this issue, the Article 29 Working Group is considering a single EU notification requirement that would enforce one set of requirements across all the member states.
Member state gains through directive loopholes
While there have been member state objections, particularly from the U.K. and Ireland about the 1995 directive, there has been less resistance than might have been expected given its transfer of considerable power to the EU. This can be explained by the fact that the directive also shifted the balance of power between member states and private actors in favor of the governments.
The member states enjoy broad exceptions to the directive based on national and public security concerns. It is possible for member states to act without the consent and notification requirements and to enact laws contravening the directive if it is in their “economic or financial interest” to do so. This is especially problematic to financial institutions because the member states have extraordinary access to the data financial institutions process, putting the financial institutions at risk for compliance violations, but worse putting their customers’ privacy at risk.
Member states have a special interest in collecting tax revenue, and are incentivized to be extra vigilant over money moving across borders, a surveillance that is made easier by the loopholes in the directive.
These loopholes, and their consequences, are important because of their effect on businesses, and also because they often hinder the stated goals of the directive. The directive claims to facilitate the free flow of personal data within the EU but member states empowered to pounce on firms not in full compliance with regulations that are virtually impossible to comply with seems at odds with the goal. This loophole facilitates free flow of information among the member states’ national governments at the expense of individual privacy.
Effects on the private sector
In many respects, the directive transformed the private sector into agents of the state. Instead of a presumption of innocence with business conducted freely, the member states created authorities that watch and wield the threat of serious repercussions for non-compliance with nebulous legislation. Member states concerned with financial movements now have reign to examine any individuals or companies they feel are taking actions against their economic interests.
The member states can use the DPAs to audit files without obtaining any permission from the owners or processors of the information. The precedent for this comes from the 1999 case in Belgium when Yahoo was fined for not disclosing an individual’s data to the state prosecutor. This helped in other member states to make “failure to register data processing activities with the DPA a criminal offense.”2
Article 3 also allows governments to process information for security and removes some of the customer notification and awareness requirements that businesses are compelled to follow. Government agencies do not necessarily have to disclose what information they are processing pertaining to individuals or individual companies. The increased government attention and action post 9/11 resulted in unintended consequences for financial institutions. For most data processing, the complexity and length of the processes make it difficult to move any information quickly or efficiently. This poses a specific problem for moving financial information, as many financial institutions need to be able to move information quickly at the direction of their customers, whilst handling the ever-expanding regulatory framework of the directive.
An exception to this rule exists for tax authorities, who can process financial information at a much lower standard. In determining levels of compliance necessary for businesses, the regulators in the member states can choose different levels for different kinds of companies based on a degree of risk. Financial information is determined to be a higher risk and is therefore subject to a special level of scrutiny. Those businesses assessed at the higher risk can be required by the member state to publish data reflecting their use of the information.
To address the problems with the directive, the EU introduced the Proposed General Data Protection Regulation in January 2012. One of the main critiques by EU regulators of the directive’s impact was unequal member state implementation. The proposed regulation aims to institute new standards that will harmonize laws across national legal systems.
The proposed regulation vastly increases the Commission’s power by expanding the areas the Commission may make regulation. Many member states objected to the proposal, especially Germany, France, Italy, Luxembourg, Norway, Poland, Sweden, and the United Kingdom. Member states with national data protection authorities would be forced to give up most of the power those authorities retain, as they would become mere messengers for the Commission. This reduces the ability of member states to compete on regulation for data privacy, and requires all companies to pay the compliance costs of the new regulation. The Commission would get the final word on questions of the application of the proposed regulation, limiting member states’ ability to tailor it to their citizens’ specific needs or to accommodate different kinds of business.
The evolution of financial privacy and the 1995 directive illustrate that while national governments often resist the transfer of power to EU institutions, where a transfer offers a means of expanding their power at the expense of private entities, national governments may be persuaded to play along without causing too much fuss. Instead of expanding the regulatory framework still further, the Commission should return to the stated goals of reinforcing individual privacy and allowing for greater flow of information and fewer government seizures of individual information. The EU’s court has emphasized the importance on individual privacy as a core European value in its recent case law on data retention. This is only to be applauded as the way forward.
This is based on a longer piece by Bill Davies & Julia Morriss, The EU Data Directive: Uniting Europe and Dividing Privacy, Journal forthcoming.
- 1 The European Commission’s First Report on the transposition of the Data Protection Directive p. 19
- Cunningham, McKay. “Privacy in the Age of the Hacker: Balancing Global Privacy and Data Security Law.”George Washington International Law Review. (2012): 643-695.