Based out of Frankfurt, Cyril Simonnet is Varonis’ Sales Director for Germany, Austria, Nordic countries, and emerging markets. Simonnet has been watching the shifting fortunes of the EU’s proposed changes to its overarching data security rules, the Data Protection Directive or DPD. These regulatory reforms have seen their share of obstacles as they slowly progress to becoming a new EU law. But in recent months, there have been serious objections from several key EU nations, particularly Germany, on foundational aspects of the reforms—whether to have a central data protection authority coupled with ‘harmonised’ rules across all member countries
I’m guessing that most Americans—other than Metadata Era readers, of course— became aware of the EU’s data security laws as the result of the NSA documents. Upon discovering that US-based service providers handed over personal data of EU citizens to US intelligence agencies, EU leaders led by Germany’s Chancellor Merkel made headlineworthy remarks about strengthening the existing Euro data regulations—i.e., the DPD. More tech knowledgeable Americans may have learned in the mainstream media that Google, Facebook and other US social media players ran afoul of the DPD’s stricter requirements on privacy opt-in, data retention, and user access to personal data.
Less well known is that the EU over the last two years has been engaged in a long legislative process to update the DPD with new and, for some, controversial rules—right to be forgotten, tougher breach notification standards, and, most importantly, a single set of data security regulations for the entire EU community. This last one, which in EU-speak, is referred to as “harmonisation” may prove to be something of a deal-breaker.
Let’s step back a little for a brief history lesson. In 1995, the EU Parliament approved95/46/EC , which we non-technocrats refer to as the Data Protection Directive. The DPD effectively sets up guidelines for protecting consumer personal data and establishes basic data privacy rights. It was innovative legislation on several different levels but especially with its sophisticated notion of what you refer to here in the US as personal identifiable information or PII: the DPD defined it as any piece of data that could relate back to an identifiable individual. The US, by the way, is finally coming around to this more abstract view—instead of enumerating the most common identifiers—as it debates its own comprehensive data security rules.
As a Directive, the actual regulations were meant to be interpreted and separately implemented by national data protection authorities or DPAs. This has inevitably led to confusion for companies doing business in a Eurozone that has 28 different variations on the DPD theme along with different enforcement thresholds for the rules.
For example, Germany’s own DPA recently said Facebook’s facial recognition softwareviolated privacy rules, and regulators ordered the social media company to gain consent from its subscribers or else delete the data. Other DPAs have taken an opposite approach and won’t consider facial images and other biometric data to be identifiers. There are also differences over, for example, whether IP and email addresses can be linked back to an individual.
The EU countries have long recognised the issues with separate DPAs, and that’s why a key element of the reforms is a single EU authority (or “one stop shop”) and a single set of rules. EU regulators would like to make these updates into a Regulation, which would apply to every country, rather than a weaker Directive, which only provides guidance to legislators at the national level
At first there was momentum towards passage of the new data security rule. In the wake of the NSA revelations, EU justice ministers in July agreed in principle to the reform of European data protection. And Chancellor Merkel was very public in calling for the passage of the Regulation, on which Germany, she said, would take a “very strict position”.
However, there’s something called politics that comes into play. While Merkel, who is up for election, has openly supported the data reforms, there is also a fear of the unknown and giving up local control. Because of historical circumstances, Germany’s laws on data security and surveillance are far stricter than other countries in the EU. Merkel has also said that as head of the government, “I have to make sure that here in our country German law has been upheld.”
It appears now that Berlin does not want a “super data protection authority” in which there would be mandatory enforcement of data protection for German companies by an outside agency. State Secretary of the Interior Ole Schröder has pointed out this is not just about a general overhaul of the data protection directive; rather, this process would also replace the entire German data protection legislation of almost 300 laws.
Further complicating matters were the newspaper reports—also based on the Snowden documents—that the NSA was listening in on Chancellor Merkel’s phone conversations, leading to a heated exchange between the German leader and President Obama. This personal phone spying did not help the No-Spy talks that had been going on between the US and Germany and intended to deal with the large-scale data snooping of German citizens. These talks are now essentially deadlocked.
Merkel is therefore under incredible pressure to take charge and put her own stamp on data security policy. It’s not that she’s against the principle of the new EU rules, but she feels they don’t go far enough and that German laws are simply stricter in this area. Or as Secretary Shröeder puts it, “Harmonisation, yes, but not at any price.”
The bureaucratic overhead, technical details, and penalties of the new rules have been a concern in Germany as well other countries, most notably the UK. The new data protection provisions, for example, are supposed to apply to all companies that have registered more than 5,000 customers in their system within the course of one year. Small operations are to be spared from excessive bureaucratic requirements. The EU commission,though, is also considering another provision, which would use a company size of 250 employees as the basis. And some companies—that is, quite frankly, US social media companies—could potentially be fined in the billions—“2% of worldwide turnover”—for non-compliance.
In addition, larger firms would have to appoint a data protection representative who ensures that the new regulations are adhered to. At the same time, the EU regulation would do away with the provision that applies to German companies, which requires the addition of a data protection representative if the company processes sensitive customer data and employs ten or more people.
The actual data protection legislation was on a slow train to begin with—after extensive lobbying it has only recently come out of the committee where it now waits to be voted on by the full EU Parliament. While there was some hope that the vote would take place in the spring, this now appears less likely with both the UK and Germany, for different reasons, saying they want to take a go slow approach. This doesn’t meant that there won’t be fundamental changes in data protection, but rather the reforms will likely fall short of the grand goals of harmonisation and a single set of rules.