New EU Data Protection Regulation
As Europe has finally reached an agreement on the final text of the General Data Protection Regulation (GDPR) in December 2015, everyone agrees that the new rules will impact business. The GDPR sets out the rights of individuals and requires companies to inform individuals that their information will be processed. J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), expressed in TechCrunch that, to him, the law is “a milestone of the Digital Age”, every company working in the EU having to appoint a “data protection officer” (a DPO) within 3 years from this spring. Stewart Room, cyber security and data protection partner at PricewaterhouseCoopers (PwC) goes even further and says that the law will affect “all businesses, not only in Europe” because of the extra-territoriality of the agreement. For Jeffrey Ritter, a contributor to TechTarget, the GDPR is a huge challenge for U.S. companies and it “may be one of the most influential pieces of legislation for international trade that we've seen in some time."
EU-U.S. Data Transfers
Huge uncertainties were hovering over EU-U.S. data transfers since the European Court of Justice declared in October 2015 that the “Safe Harbour Decision” was declared invalid. The EU directive formerly allowed businesses to move Europeans’ data to servers in the U.S. until the European Court of Justice ruled that Europeans’ data were insufficiently protected. The invalidation has huge implications for tech giants, social media and e-commerce multinationals. EU and U.S. privacy regulators met on February 2nd to find a common position and they agreed on a new framework for transatlantic data flows. However EU’s data protection authorities did not decide whether any transfers of Europeans’ personal data to the U.S. are legal and Europe's national legal agencies asked for more details. Next step is the decision to be made by the European Commission in the coming weeks.