In January 2012, the European Union (“EU”) introduced a draft regulation that would make it more difficult for companies within the EU to gather personal data from consumers. In the wake of recent developments that the National Security Agency has been involved in questionable surveillance practices in the United States, the European Union is certainly taking steps to provide greater individual privacy protections.
What Are the Terms of the New EU Personal Data Directive?
The right to privacy is an important component of the European Convention on Human Rights, a highly developed area of law in Europe. According to the new regulation, institutions may only access personal data if the purpose for gathering the personal data falls within three categories. First, a company or agency may collect and process personal data if the individual is first informed. For example, among other preliminary requirements, the individual must initially be aware of the purpose for gathering personal data. Germany’s chancellor, Angela Merkel, has urged the EU to adopt additional restrictions to require internet companies to reveal details about the companies they will be sharing personal data with. Next, a company or agency may collect personal data if the data is “adequate, relevant and not excessive” in relation to the purpose for the collection. Additional restrictions may apply if the data is more personal, such as when the data goes to religious beliefs, political affiliations, sexual orientation, or racial association. Finally, personal data may be gathered and processed for a “legitimate purpose.” However, this is a very narrow category and the reasoning behind the data collection must be very specific. As an added safeguard, any data collected within the EU may only be transferred to countries outside the EU if those countries provide substantial levels of personal privacy protection as well. This requirement would pose an obstacle for social media websites, such as Facebook, that exist across the world and gather information from users to share with companies that operate under different privacy-protection standards.