Some form of EU data protection law has been in force since the mid-90s, but the legislation continues to grow and develop to meet the changing pressures and challenges that come with technology and its increasing reach into the lives of individuals.

As a startup, business owner, or e-commerce store operator, it's important to know how EU data protection law works, and what you need to do to comply with it.

The newest development in EU data protection is that a new law is coming into place, the EU Data Protection Regulation (the Regulation).

This Regulation is intended to cover the whole EU region in a cohesive manner, rather than a patchwork of rules in each individual country. The purpose is to make things easier for small and medium size businesses to operate within the region without having to understand and comply with numerous different sets of rules.

There are a number of important changes that the new data protection regulation will bring, and some of these changes will require major compliance steps to be taken by businesses based both inside and outside the region.

Let's take a look at some of those changes, and what you need to know about them.

It's a regulation, not just a directive

The current law in place is the EU Data Protection Directive 1995, which sets out a number of data collection principles.

These data collection principles are:

  • Customers must be notified when you are collecting their data;
  • Personal data should only be collected for specific (and lawful) purposes;
  • The data collected should be adequate and relevant for the purpose;
  • Personal data should be accurate and kept up to date;
  • Personal data should not be kept for longer than necessary;
  • Appropriate security measures should be put in place;
  • Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory also ensures an adequate level of protection for that data.

Individual EU member states had to implement local laws to bring the Directive into play in their jurisdiction.

In the UK, for example, the UK Data Protection Act 1998 was enacted. There was a three-year gap between when the Directive was issued, and when the Data Protection Act came into force.

When the Directive was issued, this meant that businesses had time to prepare for the new laws. It also meant that in each EU member state, the laws could be slightly different.

The new Regulation will take effect immediately and will apply to all 28 EU member states, without them needing to implement local laws. As a reminder, these are the countries that are currently in the EU:

Map of States of EU

It's not guaranteed, but the Regulation will also likely include a grace period or lead-in time so that businesses have time to comply.

There's no indication as to how long this period might be, though, so it's best to get organized beforehand as much as possible.

You need to comply — even if you're not in the EU, but you hold data on EU citizens.

With the increasingly international nature of doing business, this is an important point to note. Even if you're not in the EU, if any of your customers, or website or app users, are in the EU, you will need to comply with this new regulation.

There are a number of ways in which you might be collecting data on EU citizens, particularly through a website or app. If your website or app collects customer information before they can purchase an item or when they register for an account, some of those customers might be from the EU.

This Regulation will cast a very broad net in terms of catching e-commerce stores and online service providers, and if you think you might be captured by this Regulation, you need to set up compliance measures sooner rather than later.

One of the first ways in which you can ensure you comply is by setting up a Privacy Policy that is in line with the new Regulation. The details of the Regulations have not yet been released, but there are some things that you can prepare early.

The content of your Privacy Policy will be prescribed by the regulations, but it's important that you also ensure your users have agreed to your legal agreement. The best way to make sure your users have agreed to your legal agreement is to use a clickwrap method to get their consent.

Most websites use what is called a browsewrap method, which is less effective in securing legal agreement. A browsewrap method is where the user is presumed to have agreed to a legal agreement simply by browsing the website.

Here's an example of what I mean:

Ars Technica Website Footer

You can see that the Privacy Policy link of Ars Technica is in small writing down the bottom of the page. While it's highlighted in orange (which is a good start) it still requires the user to scroll down to the bottom and then read the very small writing, then clicks on the link and read the agreement.

A clickwrap method, on the other hand, is where the user actually has to click to agree.

This is legally much stronger, as there is no doubt that the user has clicked "I agree", as long as they have had an opportunity to view the agreement and the agreement is clearly linked to the "I agree" checkbox box or button.

Here's an example of a clear clickwrap method from Drupal.org:

Drupal - Create An Account Form

You can see that the agreement (a Terms and Conditions agreement in this case) is clearly visible, with tick boxes for the user to click that they accept.

This is a good example and a model for what you need to use when creating policies in line with the new EU Regulation.

This is a stricter law all-round

Overall, the Regulation appears that it will be stricter than the Directive in a number of ways.

First, it will include a new requirement for many businesses to have a Data Protection Officer (DPO).

A Data Protection Officer is a dedicated staff member who is tasked with ensuring that the Regulations are applied within their business or organization. They are to act in an independent manner and keep a Register that can be accessed by any interested person.

Second, the Regulation will include tighter rules on the transfer of data outside of the EU. This may cause some issues with the transfer of data between the US and EU.

It's important to comply with all of the above, as the new regulation also involves tougher sanctions and higher fines for those who are in breach. Under the Regulation, a breach of personal data can result in your business incurring fines of up to €100 million or 5% annual turnover.

This means that data protection is being taken increasingly seriously, and breaches will not be taken as lightly as they may have been in the past.

This law has been several years in the making, and companies have had a significant amount of time to ensure that they are able to comply, which means that oversight bodies are less likely to be sympathetic to non-compliant businesses.

The aim is for all of this to be in force by the end of 2015, so it's important to get compliant as soon as possible.

Ensure that you have set up a good Privacy Policy that's ready to be amended to capture any new requirements set out by the Regulation, and also that you have a person ready to be appointed as a Data Protection Officer.

Make sure that you have good clickwrap methods in place for gaining agreement to your legal agreements, and keep in mind that you may be required to comply with the EU law even if you're not in the region, but have users from the EU.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy