< Back

Share |

A European data protection review of the year - 2012

As the year draws to a close and the festive season gets under way, a toast comes to mind in which revellers wish each other the foresight to know where they are going but also the hindsight to know where they have been. In other words, it helps to look to the future having learnt from the past. Here we focus on some key jurisdictions by way of example to see what data protection lessons we can learn from 2012.

Lesson 1 - The best laid plans often go awry

EC’s proposed data protection package unveiled


In January, the European Commission unveiled its long-awaited proposals for a wholesale overhaul of European data protection rules along with an ambitious timetable to finalise the proposals into new European data protection law before June 2014. Businesses will be affected by the proposed Regulation which, as it stands, introduces enhanced rights for individuals and tough penalties for non-compliance. Data controllers and data processors with a presence in the EU will have to comply. In addition, organisations regardless of their location which process personal data of EU citizens to offer goods and services or monitor their behaviour, will also be subject to the new regime. For a review of the contents of the draft Regulation, click here and for further analysis of its impact, click here.

The proposals have elicited a raft of Opinions and critical comment including from the Article 29 Working Party, the European Data Protection Supervisor and, not least, the various national bookregulators across member states. Meanwhile European governments have been gathering views and lobbying the EU.

Discussion among member states on the draft has moved far more slowly than expected with clear points of disagreement emerging over parts of the text. Particularly contentious issues include:

  • overly prescriptive rules that are considered too rigid and unwieldy;
  • the definition of “consent”;
  • high fines for non-compliance;
  • the cost to business of implementing the proposals;
  • reserved powers for the Commission to produce swathes of secondary legislation; and
  • new rights for individuals, including the right to be forgotten and to data portability.

Lesson 2 – Too many cookies may give you indigestion!


New rules on cookies came into force in the UK in May 2011, implementing the e-Privacy Directive. The rules require, in summary, that all websites which are based in the EU or target EU citizens get consent from users to place cookies (or similar technology) on their machines. The Information Commissioner (IC) gave businesses a year’s breathing space before starting to enforce the rules which ended in May 2012.

The rules presented significant logistical and technical challenges for businesses, particularly those operating across multiple websites. The first five months of the year were lost in a frenzy of cookie audits and technical assessments with detailed redrafts of cookies notices and privacy policies. The IC issued guidance on compliance with the new rules including revised guidance published on the eve of the UK compliance deadline in May 2012. This revised guidance takes the view that while explicit consent might allow for regulatory certainty and will be the most appropriate way to comply in some circumstances, “this does not mean that implied consent cannot be valid” although it must still be informed. In a pragmatic interpretation of the rules, the IC suggests bearing in mind the nature of the intended audience of the site; the way in which users expect to receive information from and on the site; and the level of language the audience can be expected to understand as well as the level of intrusion caused by the cookies.


Approaches to implementation have not, however, been uniform across member states. In Germany, for example, the German legislator has still not implemented the e-Privacy Directive. According to the German Federal Parliament the current German regulations are compliant with the requirements set by the Directive. As a consequence an opt-out is deemed sufficient as long as IP addresses are anonymised and data privacy statements are transparent with regard to setting cookies.

The Austrian Telecommunications Act on the other hand, has been amended to implement the e-Privacy Directive and allows session, authentication, multimedia player and load balancing cookies to be placed without consent but requires consent for third party analytic cookies.

So was worth it worth the effort? See our cookie page for more information on member state implementation.

Lesson 3 – Having your head in the clouds is not always a bad thing but watch where you are going!

Cloud Computing

The explosion of personal data being transferred to the cloud has led to a raft of publications from National Regulatory Authorities including those of Germany, France, and the UK as well as an Article 29 Working Party Opinion. It must be said that the guidance and various policies which have emerged during the course of 2012 do not always offer practical solutions to the challenges posed by placing personal data in the cloud and this is likely to continue to be an important issue in the year ahead.  For more information on the challenges cloud computing poses to data protection and how to address them (see our Cloud Computing article).

Lesson 4 – It makes life easier if things are clear first time around

Ongoing issues of interpretation

Germany has seen ongoing debate about some key issues which are yet to be clarified under national law. With the end of the final transition period of the 2009 amendment to the German Data Protection Act 1990, businesses are now generally required to verify the origin of opt-ins of a customer database and to document customer consent declarations. webThe German courts have also focused this year on the validity of consent declarations. Consent declarations are increasingly required to be specific about the sort of marketing content and third party recipients of data being consented to. Simply consenting to “receiving interesting offers from associated firms”, has been held to be insufficiently specific. Another topic which is the focus of conflicting decisions is whether an infringement of data protection law is automatically an infringement of competition law. Germany is an EU member state which has historically taken a tough stance on data protection but the fact that it continues to struggle with interpretation of its own data protection laws backs up the EU’s assertion that a Regulation is a desirable form for new law to take but also underlines the fact that the drafting will have to be extremely precise if years or wrangling in the courts are to be avoided.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

European review
Vinod Bange


Debbie Heywood

Debbie Heywood

Andreas Schütz

Andreas Schütz

Phillip Koehler

Phillip Koehler

Vinod, Debbie, Andreas and Philipp look back at 2012 and see what data protection lessons can be learned.

"The rules presented significant logistical and technical challenges for businesses, particularly those operating across multiple websites."