EU Data Protection Amendments Raise Concerns Across Borders

Monday, June 10, 2013 | Published by

A New Era for Data Protection in the EU

As the European Union prepares to adopt the most stringent data protection laws in the world, which extend to employees’ data in the workforce, businesses, government entities, and law firms alike are expressing their objections, albeit for different reasons.

Recently, the European Parliament’s legal affairs committee announced its support for uniform data protection rules. The new regulations would have broad authority extending the scope of the EU data protection law to all foreign companies processing data of EU residents.

The Parliament’s recommendations seek to ensure the fundamental rights to data protection throughout the EU member states, to harmonize data protection by law enforcement and judicial authorities, and to provide for secure transmission of data to third countries and elsewhere (please visit for more information).

For example, such measures would include amended rules on transparency and information-to-data, the right to erasure, data portability, and regulations addressing sensitivity issues surrounding data in general and specifically to children. There is also an emphasis on allocating additional resources for data protection officers and the enforcement of sanctions.

In addition, the measures would also create a data privacy regulator with broad authority throughout the European Union region. If a data breach occurs, the new law would require the data controller to notify the Data Protection Authorities within 24 hours after becoming aware of the breach, which many critics consider unrealistic. Also, if the breach is considered to have an adverse impact on the individuals affected, they too must be notified.

Furthermore, the new regulations would require companies to obtain the express consent of consumers before they may use web tracking and profiling as part of their targeted advertising schemes. This particular measure has been met with disapproval by major American and European IT companies. The possibility that more than a half-billion consumers could withhold personal details, which would otherwise be available to these companies, is viewed as a threat to the very business models that make these companies so successful.

Attorneys across the globe and international companies from a variety of business sectors including banking, automotive, aeronautics, and energy, are anticipating ways to either challenge these proposals or determine how to effectively adapt to these new measures.

Even the United States government has expressed concern over the new law. Already, in October of 2012, the Deputy Assistant Attorney General at the U.S. Department of Justice cited reservations about the clause requiring the renegotiation of existing data protection treaties within the next five years, as well as the additional layers of scrutiny recommended before involving law enforcement authorities. The DOJ claims that the new laws would create an additional layer of bureaucracy that could complicate law enforcement efforts to prevent internet-related crimes, as it could hinder the EU member state’s ability to gain assistance from Interpol.

Meanwhile, governments in South Africa, Qatar, and Dubai are developing their own data protections laws mirroring the European Union’s efforts.

The stated goal is to complete the initial plan and adopt the Regulation before the European Parliament is re-appointed in May of 2014, but it remains to be seen whether or not this deadline will actually be met. If the deadline is met, than the regulation would take effect in 2016, providing a two-year transition period to allow companies to adequately prepare for such changes.

However, global businesses (and those looking to expand globally) need to be preparing now. In particular, company leadership, risk managers, compliance and IT professionals, along with their legal counterparts need to be focusing on a number of areas to address the developing regulatory environment concerning how personal data must be handled and prepare for the associates risks.

Some of these areas include:

  • Management of human resource and customer data on-line and off-line.
  • Policies and protocols for employee monitoring on-line and off-line.
  • Management and handling of sensitive data relating to the workforce during due diligence processes.
  • Privacy & Data Management Training – including secure archiving and disposal of sensitive information.
  • Readiness to respond to a security breach.

In the current competitive market, safeguarding data is not a local question – it is a global one which we are helping our clients proactively respond to.

For more information about L&E Global’s Privacy + Data Security Practice please visit:

For an initial consultation, please contact one of our member firms or our corporate office.

Stephan C. Swinkels LL.M. MBA
Executive Director
Avenue Louise 221
B 1050 Brussels
T +32 2 64 32 633
M +31 6 523 25 531

The image used is licensed under Creative Commons by Álvaro Millán