11 points to consider when applying the E.U. Data Protection Directive
The E.U. Data Protection Directive (officially Directive 95/46/EC) aims to give citizens of the European Union control of their private data. It is a fundamental element of E.U. privacy and human rights law. All E.U. members states must incorporate these guidelines into their national laws.
If you are a community manager in the E.U. looking for community software, here are the answers to some questions you might have:
Q1: What is the Data Protection Directive all about?
In essence, however, the Directive regulates both the manual and automated processing of personal data within 4 main contexts. Specifically:
Data that can identify a person should not be processed (collected, stored) unless there is a legitimate reason.
- Transparency, Purpose and Proportionality
The controller (the entity processing the data) should identify themselves and can only process data if consent is provided, and then, only for the purpose specified. Extra restrictions apply to sensitive personal data.
- Supervisory Authority and Public Register
Controllers must let the local government know about their data processing activities. For example, a French company would log onto http://cnil.fr and fill out a form. This registration will go away in May 2018 when the reforms to the DPA come into effect.
- Transfer of Data to Third Countries (countries outside the E.U.)
You can’t transfer personal data to another country unless that country has similar data protection rules in place. For example, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is considered to administer sufficient protection, which means that data can therefore be moved to Canada.
Q2: What kind of personal data is captured by community software?
A2: This depends on the platform. Most platforms allow you to create detailed member profiles. At a minimum you will be capturing the member’s username, email address and IP address. This data is considered personal information.
Q3: What is ‘sensitive personal data’?
A3: The Directive specifies sensitive data as relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and health or sex life. Processing sensitive data requires stronger protection from the data controller.
Q4: What about the content my community members post in public? Is that personal data?
A4: The Directive was drafted before the explosion of user-generated content (UGC) and doesn’t appear to comprehensively address it. Here are some best practices to help community members better understand how their content will be used:
- Warn members to whom posted content will be visible (e.g., registered members, public).
- Warn members if their content will be indexed by search engines.
- Discourage members from posting sensitive personal information.
- Allow members to participate in the community pseudonymously.
- Delete member profiles and content upon request (The Right to Erasure).
Q5: If I use cloud-based community software, who is the data controller? Is it me or my vendor?
A5: The data controller is the institution or body that determines the purposes and means of processing the personal data (that means you). Your vendor is a processor. Currently, the rules only impose direct compliance obligations on the controller but the new rules coming in 2018 will also impose obligations on processors. You, as the controller, have ultimate responsibility for protecting your community member's data.
Q6: Can I use a community vendor from the United States?
A6: Yes, however, you must choose between the following two options:
- Either the vendor processes the personal data inside the E.U. and never transfers it to the U.S., or,
- The vendor (or the vendor’s hosting company) is self-certified and registered under Privacy Shield with a data transfer agreement in place that uses the standard contractual clauses (SCC) issued by the European Commission. (See Q7 and Q8 below.)
Q7: What should be in the data transfer agreement?
A7: This agreement must set out obligations by you (the data exporter) and the vendor (the data importer). Obligations include things such as data security and granting the same data protection as set out in the E.U. Data Protection Directive.
Q8: What was Safe Harbor and what is Privacy Shield?
A8: Safe Harbor was a means by which U.S. companies could transfer data from the E.U. to the United States. E.U. courts struck down Safe Harbor after the Edward Snowden leaks revealed the the U.S. government was accessing E.U. citizens’ Facebook data without consent. Privacy Shield is a new but very similar framework that tightens up some requirements, greater government supervision and more oversight of law enforcement’s access to data.
Q9: What is the General Data Protection Regulation (GDPR)?
A9: GDPR is a reform to the Data Protection Directive that comes into effect in May 2018. Here are the major differences:
- A unified set of rules across the European Union. Local governments will need to apply the law uniformly and there will be one E.U. supervisory authority.
- A broader definition of personal data.
- Opt-in required and greater transparency of how data will be used.
- Mandatory notification to people when their data is breached.
- Steeper fines for breaking the rules.
- Larger companies will need to designate a Chief Privacy Officer.
Q10: What about Cookies?
Q11: My Facebook page is part of my community. Do I need to worry about data protection?
A11: Your company Facebook page and the data it contains isn’t owned by your company, it’s owned by Facebook. Facebook is the data controller and must abide by local laws when processing data.
*This blog post provides an overview of E.U. data protection rules for companies considering the purchase of cloud-based software. It is not intended as legal advice. Obtain legal counsel if you have any concerns about legal compliance.
If you think we got something wrong in this post, please leave a comment or send us an email.