Data Protection and Privacy in the European Union

By Michael Harris

Recently, Ethos Privacy’s Michael Harris and Stephanie Perez-Cortez moderated a rock-star panel of privacy professionals for the Washington State Bar Association’s International Practice Section and the Hispanic National Bar Association Region 16. The panel, titled “Data Privacy in the European Union,” included Ethos Privacy Content Director Emily Leach, IAPP General Counsel and DPO Rita Heimes, and Hintze Law Of Counsel Laura Lemire.

Attended by lawyers from Washington and Oregon, the panel began by providing an in-depth overview on the background of EU privacy law, starting with the European Convention on Human Rights of 1953 through the General Data Protection Regulation (GDPR), and how such laws have impacted US federal and state laws. The panel moved on to compare the rights provided by GDPR with those in U.S. privacy laws such as Colorado, Connecticut, and California, highlighting important differences between even similar rights, such as objection rights. Leach said, “Now that we are seeing states pass laws, they are beginning to pass broader consumer rights laws, so the effect of GDPR can clearly be seen.”

A discussion of the current EU data protection regime, which includes GDPR and the e-Privacy Directive (ePD), provided important considerations for U.S. attorneys, as they may encounter clients who require advice about their obligations for EU privacy protections. Lemire talked about the types of data and activities the GDPR applies to and the principles that make up the regulation. She also explained how the ePD impacts the GDPR, such as the safeguards for electronic communications and the treatment of spam and cookies. Stressing that privacy should be important to businesses, she observed that, “Often privacy is viewed as a chore … [but] there’s a ton of value in meeting the requirements of GDPR because it gives value to your business.”

Addressing the ways Brexit affected the UK’s data protection regime, Leach discussed cross-border data transfers, noting that the UK had to develop its own data protection law as it would no longer fall under the umbrella that is the EU. She also talked about proposed reforms to UK’s data protection law, such as reducing the burdens of compliance, moving from opt-in to opt-out for tracking technologies, and changes to the Information Commissioner’s Office, including the shift to a board.

Heimes then provided an overview of the new EU digital strategy, which includes the Digital Services Act, Digital Markets Act and the Data Governance Act. These laws focus on digital commerce, including both provisions of internet services and of platform services referred to as “gate keepers,” ensuring they use fair practices and don’t abuse their power. When touching on these proposed protections, Heimes evoked the challenges her nephew has experienced using Amazon for sales. “Amazon just changes its algorithm,” he said. “And we go back to the beginning. Our efforts to be found by consumers are overridden by Amazon’s unilateral decision.” She also noted that these acts would, similar to the GDPR and ePD, have an extraterritorial effect on those who conduct e-commerce in the EU.
Finally, the panelists discussed operational considerations for lawyers based in the U.S. Among the top considerations were records of processing activities, data subject access rights, and whether an EU representative or data protection officer is needed. The panelists urged attorneys to consider cultural and linguistic differences that could impact how an attorney provides advice to clients.

Ethos Privacy’s consultants are regular contributors to privacy webinars, whitepapers, and workshops. Contact for an update on where we’re appearing next and use the form on our main blog page to subscribe to our privacy news roundups.

Get started today

Ensuring digital security and compliance for your future.