An Excerpt From:
K&L Gates Global Government Solutions ® 2012: Annual Outlook
January 2012
IP, Data Protection, and Telecommunications
EU Data Protection:
Poised for Reform in 2012
Since 1995, the EU has operated under a comprehensive system of regulation to
protect personal data and privacy. This regime includes such principles as the fair
collection of data, a right to object or consent to the disclosure of personal data to a
third party, limited retention periods, and the creation of independent data protection
authorities in each EU member state. Implementation of this EU legislation across the
27 EU member states, however, has been less than perfect, and despite the existence
of a purportedly unified EU framework, companies spend more than €2 billion per
year adapting to the disparate requirements of each specific national legislation,
according the EU’s Commissioner for Justice, Fundamental Rights and Citizenship,
Viviane Reding.
In late 2011, Commissioner Reding made
public her proposals for reform of these
rules, and it is anticipated that in 2012 this
framework will be broadly reorganized in
an effort to minimize national deviations.
At about the same time that Commissioner
Reding’s proposals were announced, the
Court of Justice of the European Union
(CJEU) rendered a decision that illustrates
the need for full harmonization of European
regulation in this area. In a decision
dated November 24, 2011, the CJEU
held that in implementing the provisions
of Directive 95/46 on personal data
protection (Directive), Spain had gone
beyond the scope of the Directive by
60
imposing additional requirements on the
collection and processing of personal data
by organizations without the consent of the
data subject.
EU privacy regulations apply primarily to
entities known as “data controllers” (i.e., the
entity in charge of the purpose and means
of the data use or “processing”). Article 7(f)
of the Directive provides that, as a general
matter, prior consent of the subject of the
data (a data “subject”) is not required
when the processing of the subject’s data is
“necessary for the purposes of the legitimate
interests pursued by the controller or by the
third party or parties to whom the data are
disclosed, except where such interests are
K&L Gates Global Government Solutions ® 2012 Annual Outlook
overridden by the interests for fundamental
rights and freedoms of the data subject.”
Implicit in this formula is a balancing of
interests between the users of data and the
subjects of it.
In implementing the EU privacy legislation,
Spain had included in its organic law
no. 15/1999 on data protection
(Spanish Act), a provision that only data
contained in material accessible to the
public could be collected without the prior
explicit consent of the data subjects. In
its November 2011 decision, the CJEU
found that such restriction did not comply
with the Directive.
The Spanish Act effectively prohibited
the use of data not derived from public
sources without the consent of the data
subject. A balancing of the legitimate
interest of the data controller and the
fundamental rights and freedoms of the
data subjects was required under the
Spanish Act only in cases where the data
originated from public sources. As a result,
the Spanish data protection authority
has invariably required the prior explicit
IP, Data Protection, and Telecommunications
consent of the data subject for data from
any other source.
The Spanish Act’s variance from the
requirements of the Directive broadly
affected the Spanish market for direct
marketing and commercial information.
Beyond this, the Spanish Act sometimes
served as a guidepost for those interpreting
the Directive, leading them to state as
a general principle that all collection of
personal data was subject to the prior
express consent, regardless of the source
material. Yet this was neither the wording
of this article, nor the intent of the EU
Directive. Though Article 7 starts off with
“Member States shall provide that personal
data may be processed only if (…) the
data subject has unambiguously given his
consent”, this is quickly followed by an “or”
and a list of five other possibilities for data
collection that may occur without the data
subject’s consent.
These five other possibilities were not
meant to be subsidiary to the consent
requirement. Consent of the data subject
was intended as one of several alternatives
for the proper collection and processing
of personal data—and this is just what
has been affirmed by the CJEU decision.
Under EU law, the consent solution is the
least preferable option for both companies
and data subjects; indeed, consent must be
freely given, explicit, and discretionary. It
may not allow the adoption by a company
of a long lasting and global commercial
policy, as each data subject’s will could
potentially put an end to it. In addition, the
withdrawal of consent may never allow
a data subject to rewrite the past and
“reclaim” the personal data which may
have been transferred throughout the world.
facilitate compliance by multinational data
controllers. At the same time, companies
must be alert to new efforts that might focus
on data subject consent as the sole means
of enabling data use.
In its decision, the CJEU also declared
that Article 7(f) was unconditional and
sufficiently clear. Therefore, it is of direct
effect and may be raised by anyone,
and must be enforced under the national
jurisdiction of all member states.
However, the latest drafts published in
December 2011 by the services of the
EU Commission provided that EU privacy
laws would apply to any company which
targets its service to EU residents. If this
criterion was finally adopted, the processing
of personal data would become a giant
puzzle for online service providers all over
the world. If this option is confirmed in late
January 2012, the remaining choice for
multinational companies or Internet players
will be between wishful thinking and
lobbying initiatives.
This decision comes as a strong support to
Viviane Reding’s efforts to truly harmonize
the European legislation, which should
move forward in 2012. European and
U.S. companies that are affected by EU
privacy regulations will need to be alert
to developments in 2012 and protect
their interests. Indeed the benefits of the
upcoming harmonization are likely to
Finally, the 2012 reform could threaten both
North American and European economies
if, further to Commissioner Reding’s project,
the applicable law criteria was to be
amended. Since 1995, the establishment of
the “data controller” is a secure and stable
applicable law criterion.
Etienne Drouard (Paris)
etienne.drouard@klgates.com
K&L Gates Global Government Solutions ® 2012 Annual Outlook
61
Anchorage Austin Beijing Berlin Boston Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt Harrisburg
Hong Kong London Los Angeles Miami Moscow Newark New York Orange County Palo Alto Paris Pittsburgh Portland Raleigh
Research Triangle Park San Diego San Francisco São Paulo Seattle Shanghai Singapore Spokane Taipei Tokyo Warsaw Washington, D.C.
K&L Gates includes lawyers practicing out of 40 offices located in North America, Europe, Asia, South America,
and the Middle East, and represents numerous GLOBAL 500, FORTUNE 100, and FTSE 100 corporations, in
addition to growth and middle market companies, entrepreneurs, capital market participants and public sector
entities. For more information about K&L Gates or its locations and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to
any particular facts or circumstances without first consulting a lawyer.
©2012 K&L Gates LLP. All Rights Reserved.