European Privacy Framework
Privacy issues first appeared in some European countries in the 1970s, when countries started to process their citizens' data on a massive scale - which led to the first privacy laws. The demand for protection increased in the 1980s when private companies started gathering data about their customers. A common protection system was then implemented across Europe, followed by a Directive in 1995. Every European country had to adapt this set of rules to their national regulations.
The Right of privacy
In Europe, privacy is considered as a human right. Article 2 of the Directive states that 'data-processing systems are designed to serve man; they must, whatever the nationality or residence of persons involved, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals'.
According to the Directive, every European country must have a national law system about privacy in order to provide a high level of protection. Each country must have an independent Data Protection Authority, which supervises compliance and investigates applications with the power to bring violations to courts.
This common ground allows free data transfers within the European borders; however, when personal data leaves Europe, the same level of protection and compliance must be guaranteed by additional measures. A dedicated Working Party, named after the "G29" article, issues recommendations about practical compliance matters.
Framework for Personal Data Transfer
The Directive and the European Commission provide multiple solutions to ensure compliance, whether you export data mainly to the USA or worldwide. Other solutions may apply if you have either just a few or hundreds of contractors outside Europe. It is important to be careful when choosing between Privacy Shield (see: Data transfer framework), Binding Corporate Rules, Standard Contract Clauses, or even creating your own Compliance process.
Despite the European common ground, each country still has its own different law system. For instance, the amount of fines for being non-compliant can vary from 5.000 to 1,5 million Euros according to the country; Compliance rules differ depending on the local culture, for example there are huge differences between UK and Greece. And of course every form has to be filled in using the local languages.
Data Protection Officer (DPO)
Some countries allow companies to appoint a Data Protection Officer (DPO). They are in charge of:
- ensuring internal compliance of all processes handling personal data
- fulfilling the formal obligations (i.e. preparing forms)
- advising and educating management, as well as teaching other employees
- replying to inquiries from customers, employees, and the public
- communicating with the Data Protection Authority and discussing any issues
While the American Chief Privacy Officer (CPO) has no formal or legal existence, the European DPO gets his rights from law. In Germany a DPO is mandatory, whereas companies in France, Luxemburg, Netherlands and Sweden have the choice to appoint one. In other countries there is no legal existence yet, but having an official person in charge has proven to be effective in order to solve privacy issues.