This week offered an advance look at the outcome of the EU Data Protection Directive Consultation and review process. The draft Regulations would replace the existing EU Data Protection Directive, and together with other changes, hopefully lead to great consistency in implementation of data protection rules across EU member states. While the move to Regulations and other administrative changes may make compliance with EU requirements easier in some ways, companies who process EU data are also going to find those improvements come with new obligations and limitations.
Some of the new obligations are expected and others are less so. They include:
- A data breach notification requirement
- A move toward a COPPA-like requirement stating that children’s consent must be given by or authorized by a Parent or Custodian, however a “child” is under 18
- The “right to be forgotten” which includes a requirement that the data controller wipe content from all of the places it may have gone after being made publicly available
- Data portability to allow customers to take their data from one social networking service to another
- A prohibition on building “profiles” on children (under 18 years of age)
- Consent requirements for profiling adults or direct marketing to adults
- A prohibition on disclosing personal data in response to judicial or administrative process in a third country outside the EU unless through an MLAT or other international agreement or with specific approval of a supervisory authority
It is not clear yet when the draft will become final and be officially released. Once released, many companies may struggle with how to implement the requirements within their existing privacy programs. The costs are likely to be significant for those who rely on profiles and direct marketing, specifically if they cater to teens.