Can businesses monitor their employees’ e-mail? Is an in-house privacy officer required? How do you handle cookies?
These are some of the tricky issues that bedevil international firms doing business in European Union countries, made more complicated by the fact that there are different rules in each of the 27 member states.
The EU has been working on creating a new—single—set of data-protection rules that would “harmonize” the legal regimes of 27 different member states.
But some non-European firms doing business in the bloc worry the changes will make operations even more complicated—and more expensive—because the requirements could become even stricter.
A Canadian company doing business in the Czech Republic right now likely faces laxer rules than in Germany, the country with the strictest privacy standards in Europe.
Under the upcoming rules, the Czech legal regime is likely to become harsher, say data-protection experts.
“Businesses certainly like the idea of the harmonization [of rules], but they are a bit afraid that in the context of that, we are taking on the [strictest rules] from different countries, at which point it can become a problem to operate a business successfully,” said Ulrich Wuermeling, a partner at Latham and Watkins in Frankfurt, who advises firms on data-protection matters.
The new rules aim to protect personal data, such as names, e-mail addresses and bank details. The new legislation would enable businesses to interact with just one data-protection authority in the country they are headquartered, saving administrative costs of around €2.3 billion ($3.1 billion), according to the European Commission.
But while the European Commission says the reforms will make it easier for businesses, a conflict between the regulation and another EU directive on e-privacy could mean national telecommunications laws would override some elements of the regulation, meaning in some cases companies would still face complying with 27 different national laws.