EC wants all non-European business to adhere to Data Protection Directive

The European Commission (EC) wants all companies that store data on European citizens, whether based in the EU or not, to be subject to an updated version of the Data Protection Directive due to be unveiled in January.

Businesses without offices or equipment in the EU can currently circumvent European law, as the original directive created in 1995 does not include provisions that could have foreseen the growth of the internet and cloud services.

EU justice commissioner Viviane Reding and EC vice president Ilse Aigner met in Brussels on Monday to discuss the new directive, and outlined their desire for the law to compel any firm interacting with EU citizens to adhere to EU regulations.

"We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business in our internal market," they said.

"This also applies to social networks with users in the EU. We have to make sure that they comply with EU law and that EU law is enforced, even if it is based in a third country and even if its data is stored in a 'cloud'."

Furthermore, the politicians said that consumers should have more rights to protect their data, such as being able to provide explicit consent before any data is used by businesses and having the right to delete their data at any point.

"Consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies that process their personal data are established," they said.

Eduardo Ustaran, head of Field Fisher Waterhouse's privacy and information law group, told V3 that updating the directive is vital for the EC to make the law fit for purpose and provide more protection for citizens.

"The EC wants to make sure that companies targeting individuals in the EC do not fall outside European law as the current directive is limited in its scope," he said.

"For example, German data regulators find it hard to compel organisations to adhere to its own laws if they're not based within the EU at large, so there is a strong desire to overhaul the current system."

Once unveiled in January, the document will be subject to debate and discussion, giving companies the chance to respond to the proposed changes by lobbying or an official consultation process before it becomes law.

Part of the draft document is likely to include information on a system called Binding Safe Processor Rules (BSPR) that will enable cloud hosting firms to take legal responsibilty for the protection of data, revealed by V3 in September.

This could help drive the use of cloud services, as any lost data is currently the responsibility of the owner of the information, making many organisations wary of using the cloud.

Ustaran revealed to V3 that the French and Polish data protection authorities voiced their approval for the BSPR system at a data protection conference in Mexico last week as they believe it will increase data protection for EU citizens.