European Union’s three regulatory bodies have reached an agreement on common rules for governing data privacy across all member states. Europe’s data privacy reform has been in the making for at least three years and now finally appears close to enactment.
While addressing what businesses can and cannot do with users’ personal data and outlining rules for access to personal data by law enforcement, the packages do not address cross-border data flows, which until recently were governed by a set of rules called Safe Harbor but was stricken down by the European Commission, causing a stir in the cloud services industry, where the biggest players are by their nature operating globally distributed data center infrastructure.
“Our next step is now to remove unjustified barriers which limit cross-border data flow: local practice and sometimes national law, limiting storage and processing of certain data outside national territory,” Andrus Ansip, VP for the Digital Single Market, said in a statement on the recent agreement, reached earlier this week. Digital Single Market is an EC initiative to promote a unified single digital economy across the EU, governed by a common set of laws.
The reforms EC, the European Parliament, and the European Council agreed to consist of two sets of rules. Rules for personal data and businesses are in the General Data Protection Regulation, while law enforcement’s access to data is covered by the Data Protection Directive.
The Directive aims primarily to protect the privacy of victims, witnesses, and criminals while enabling police across the EU to exchange information during investigations and follow the same data access protocol regardless of where in the Union data they seek reside.
But it also outlines rules for transfer of personal data outside of the EU, an issue over which Microsoft and the US government have been battling in court. US law enforcement officials have requested that the company provide personal data of an investigation subject, but the data is stored in a Microsoft data center in Dublin, Ireland, and the company has declined to provide it on the grounds that the US government’s jurisdiction does not extend beyond US borders.
The next step for the EU’s data privacy reform is for the European Parliament and Council to adopt the new rules starting in 2016. The laws will go into effect two years thereafter.
More details on the proposed rules in the European Commission's announcement.