. . . a delayed delivery notice for the biggest package of the holiday season!
(LONDON) Major changes are on the way in Europe that will have a significant impact on companies anywhere in the world that collect or process personal data of residents of the EU. But what will the precise nature of those changes be . . . and when will they arrive?The draft Data Protection Regulation is still being negotiated by the various political institutions of the EU. While there is a slim chance that the final version will be promulgated before the next EU parliamentary elections in 2014, many commentators think that's unlikely. If the Regulation is not finalized before the elections, it will be subject to further discussion by the new parliamentary members and will roll into 2015. (The political process is recapped below.)
However, even without a final draft of the Regulation, we can be reasonably certain about a number of features of the new legislation. And 2014 will almost certainly see changes to the US Safe Harbor regime in response to the EU's pointed criticisms and recommendations that need to be addressed (under the threat that the Safe Harbor regime could be revoked by the EU). See our previous commentary on potential Safe Harbor changes and recommendations for action here.
What should US companies who deal with EU personal data do now (well, as soon as the holidays are over)?
Without a definitive draft of the Regulation or confirmation as to how Safe Harbor will change, the best way to prepare for the new Regulation and potential changes to Safe Harbor is to get a very thorough knowledge of data flows within your organization and to or from third parties. Companies should have a comprehensive grasp of what personal data is collected, where it came from, how it is used and for what purposes, whether any consents have been obtained, and how it is stored (including security measures). What contractual protections are in place to govern how data is used and protected when there are transfers between companies (either within a corporate group or outside of a group)? Is any of the data "sensitive" personal data under the current EU Directive? Can you articulate "legitimate purposes" for your use of the data (again, per the current Directive)? Do you have good records of consent that can be tied to particular data?
In other words, if you audit your company's compliance with the current Directive (and Safe Harbor, if you are registered)...