Cyberlaw Predictions: Privacy Reforms in the European Union and Elsewhere

This post is the eleventh in a series of predictions from legal and business experts about the directions cyberlaw policy might take in 2013, solicited by editors of BNA's Electronic Commerce & Law Report during the closing weeks of 2012. We asked that the remarks be brief -- something along the lines of a Twitter "tweet" or an elevator pitch. Over 100 attorneys, law professors, online business executives, policy advocates and other cyberlaw experts responded, producing 307 separate assessments, predictions, or just plain complaints regarding any of the many legal subject areas that affect online businesses.

While lawmakers in the United States continued their painstaking examination of the need for online privacy regulation, the European Commission released a proposal for Europe's second set of privacy rules, the proposed General Data Protection Regulation. It's ambitious by American standards. The proposed regulation includes a broad definition of personal information, sets out new rules on obtaining consumer consent for data uses and transfers, a "right to forget," a "privacy by design" a data breach notification requirement, a right of access to data and a right to limit profiling, strengthens the hand of member state data protection commissioners to enforce data protection laws, and a consumer right of action for damages.

eu flag

The proposed data protection regulation will become final sometime in 2013. The European Parliament's Committee on Civil Liberties, Justice and Home Affairs recently weighed in on the proposed regulation, suggesting hundreds of changes, both small and large, while largely supporting the Commission's proposal. The Hogan Lovells Chronicle of Data Protection blog has a good summary here.

The experts' views:

Privacy by design--Let's prepare for proposed EU data protection regulation. Bradley L. Joslove, Partner, Franklin Societe D' Avocats, Paris.

New draft European Data Protection Regulation: what changes for data controllers? Also applicable to companies outside the EU! Companies may need to appoint data protection officer. Edwin Jacobs, @Edwin_Jacobs, Partner, time.lex, Brussels.

European Parliament and the Council are reviewing the draft EU Data Protection Regulation--new proposal expected early 2013 but no major changes expected. Karin Retzer, Partner, Morrison & Foerster, Brussels.

Continued morphing of non-U.S. data protection laws into competition vehicles. Holly K. Towle, Partner, K&L Gates LLP, Seattle.

The EU seems bent on making its data protection regime even more complicated and burdensome for businesses with the passage of a new Data Protection Regulation. Yet industry doesn't seem to be putting up much of a fight, yet. Michael Vatis, Partner, Steptoe & Johnson LLP, New York, N.Y.

The proposed EU Data Protection Regulation will move closer to reality in 2013, and it is likely to emerge with fewer adjustments to the originally-proposed text than many in business would want. Businesses will need to prepare for compliance with the new regime. Christopher Wolf, Partner, Hogan Lovells, Washington, D.C.

Will Google, Facebook and Twitter become illegal in Europe? In the year 2013 the European Union will introduce new data protection rules which are totally different to the understanding and practice in the U.S. The big question is: Will there be a cultural clash or competition between the systems and who will pay for all that. Are the U.S. companies willing to obey to such rules? Michael Zoebisch, @zoebisch, Partner, rwzh Rechtsanwãlte, Munich, Germany.

User consent rules for cookies have been finalized in all EU countries. The U.K. and German authorities are the most active--the ones to watch. Karin Retzer, Partner, Morrison & Foerster, Brussels.

Europe and the U.S. will continue their long, slow, uneven convergence toward a common approach to online privacy protection, and both will be better off as a result. The U.S. Congress will, directly or through FTC rulemaking, set some broad baseline principles of awareness and control over personal data; in parallel, the European Commission and the EU members' data protection commissions will adopt a more pragmatic, less self-defeatingly formalistic approach toward enforcement. Andrew McLaughlin, @McAndrew, Entrepreneur-in-Residence, betaworks, New York, N.Y.

The Right to Be Forgotten in the internet era seems to restore the power balance by giving effective control to individuals over their personal data. Will the new European Data Protection Regulation do the trick? Edwin Jacobs, @Edwin_Jacobs, Partner, time.lex, Brussels.

2012 saw proposed huge changes to the EU data privacy regime, but objections too. Jonathan Armstrong, Partner, Duane Morris LLP, London.

Turkey fails to pass the Data Protection Bill again, for nearly a decade now. But there's pressing need for the same; global companies and businesses should be on the look-out. Ceylin Beyli, @ceylinb, Founder & Managing Lawyer, CBL Law Office, Istanbul, Turkey.

Web sites operating in Russia should now publish their privacy policy as it is compulsory under the updated version of the Russian law on personal data. Igor Motsnyi, Partner, Motsnyi Legal Services, Moscow.

The EU's proposed "right to be forgotten," if implemented, would pose major operational challenges for both traditional and new media. Andy Roth, Partner, SNR Denton, New York, N.Y.

The debate over how much power consumers should have over "their data" will become increasingly febrile in the run-up to the new EU Data Protection Regulation. Mark Owen, Partner, Harbottle & Lewis, London.

E-Commerce Bill is on the way for codification in Turkey, in 2013. A limited regulation of Data Protection is in question, but spam and cache regulations prevail. Monetary fines will be the topping of this fine cake. Ceylin Beyli, @ceylinb, Founder & Managing Lawyer, CBL Law Office, Istanbul, Turkey.

In 2013, Brazil will head to a more regulated cyberspace: laws on the use of internet, e-commerce and protection of data and privacy are expected. João Harres & Fábio Pereira, Associates, Veirano Advogados, Rio de Janeiro.

Law 46/2012, transposing Directive 2009/136/EC on the processing of personal data and the protection of privacy in the electronic communications sector, amended Law 41/2004 (Privacy and Data Protection in Electronic Communications Law) and Decree-Law 7/2004 (E-Commerce Law) and came into force on 30 August 2012. This new law makes significant changes and affects all companies with e-commerce activity. The main updates of the law are: (1) the implementation of a data breach notification obligation to the Data Protection Commission; (2) establishing a requirement for prior express consent based on "clear and comprehensive information" for the use of cookies; (3) the regulator must issue best practice recommendations on the security levels for the technical and organizational measures to be implemented; (4) companies must maintain lists recording consent/absence of objection for direct marketing purposes and also consult the existing public opt-out list maintained by the Consumer Directorate-General on a monthly basis. Cesar Bessa Montiero, Partner, PBBR -- Pedro Pinto, Bessa Monteiro, Reis, Branco, Alexandre Jardim & Associados, Lisbon, Portugal.


Follow @tjotoole on Twitter Follow me on Twitter at @tjotoole.