Essay: Data protection within the European Union

Now that the value of Big Data is more clear, it is necessary to look at how all this data is protected through Europe. First the European Union will be looked at, followed by some of the EU countries including the Netherlands, to compare if all European citizens are protected the same.
European Union
To get a better understand about what a EU law means to consumers and businesses in Europe, the different types of laws need to be distinguished. There are five types of laws namely, a regulation, directive, decision and recommendations & opinions. Each of these types of law have a different consequence for a EU country (Davies, 2013).
Regulations
A regulation is a general application, which means it applies to all EU countries, and the regulations is binding in its entirety. A regulation is directly applicable into national laws, which means that national legislators do not need to incorporate the regulation. Since a regulation is directly applicable it means that there is a uniformity of law throughout the EU (Davies, 2013).
Directive
A directive is a sort of law which is only binding to those who the directive is addressed to. It is an obligation for member states to try to find a particular outcome which comes close to what the directive says. A directive will be implemented into national legislation of the member states that need to do so and the European Union draft directives to ensure a form of harmonization of rules in the EU (Davies, 2013).
Decisions
Decisions are directly applicable into national legislation but not for the entire European Union. A decision looks a lot like a regulations however, a decision is only binding to the member state the decision is addressed to (Davies, 2013).
Recommendations and opinions
The big difference between regulations, directives and decisions when looking at recommendations and opinions is that the last two sort of laws are not legally binding. They are called soft law and even though they are not legally binding, they are influential and national court should take these into account (Davies, 2013).
The European Union has finalized the directive 95/46/EC the protection of personal data in December 1995. The directive is made to protect the rights and freedom with respect of processing personal data. Three major parts in this directive are important, starting with data processing is only legal when:
1. The person who’s data is being used has given its consent to do so.
2. Data processing is necessary because of the performance of a contract to which the data is subject.
3. Data processing is necessary for submission off a legal obligation.
4. Data processing is necessary for the performance of a tasks which is performed with the public interest in mind.
5. Data processing is necessary for legitimate interest by or a third party or a controller, except when the interest overrides the fundamental rights and freedom of the data which should be protected.
Besides these five rules there are two data quality principals, data must always be processed fairly and according to the law and the purpose must be specified beforehand. And it is forbidden to process data which reveals racial or ethnic origins, political opinions and religious believes. The directive as well states that a person who’s data is processed can exercise the following rights:
1. A person always has the right to obtain the information, this means the controllers should be open about what is done with the data.
2. The person has the right to access the data at all times.
3. The right to object to the processing of the data.
As learned until now is that the European Union has set a directive for Member states to implement into their law, this means that the information above is a guideline and member states have the right to implement these point to their own meaning. The entire directive can be found in annex one. Now that the European Union’s point of view of internet privacy is set out, it is necessary to look at specific countries to see how internet privacy differs or is the same for all citizens in the European Union.
The Netherlands
First country to compare is the Netherlands, the Dutch government handles internet privacy issues through the Personal Data Protection Act which entered in July 2000. What stands out immediately is that article 8 of the act is precisely the same as the legal data processing point of the European Union (Korthals, 2000). This act doesn’t only cover internet privacy but as well privacy about phone calls. The internet privacy in the Netherlands consists of three important point of view, first of all are businesses and organizations not allowed to use personal data without the person gives their permission, this is done by giving authorization to the use of cookies on a website. This first and the following point are to be found back in the cookie act. Every time a person gives the authorization the websites stores the information of what this person is doing on the site. This can be used as known already to make a person profile for businesses objectives (Rijksoverheid, n.d.).
Second is that the Dutch government believes that is must be possible for a person to be forgotten on the internet. An organization or business must deleted all personal data of the specific person when asked. Plus there should be an option for a consumer to gain a copy of all existing data about him or herself. This rule comes out of the directive of the European Union. Last important point in the protection of personal data in the Netherlands is that a person visiting any website should get a clear and brief explanation about the use of personal data. It is not sufficient anymore for a website owner to only provide a large and unclear explanation. The CBP, a supervisory board that looks after protecting personal data is authorized by the Dutch government to fine any business or organization how breaks these rules. The government wants to empower them even more in the future, unfortunately it is not clear yet how (Rijksoverheid, n.d.). Conclusion after analyzing both the European directive and the Dutch act is that there is little to no differences. Due to the fact that privacy is a wide conception, the focus will be on the cookie acts, since with accepting a cookie a person gives permission to have their data being used.
Germany
The Netherlands transferred the EU law into the national legislation. Germany however thought their current cookie law was protective enough and did not needed to be adjusted. Currently in Germany the Tele media Act specifies that users must be informed when organizations or businesses use methods that could identify personal data. It is therefore considered that website owners should inform users on how cookies are being used in their privacy policies. The law as well says that users should be able to refuse the use of their data for the purpose of marketing. The question in Germany rise as to whether this would apply to the collection of an IP address and the German data protection authorities released an announcement in 2009 clarifying that an IP address would not count as an alias and that where the full IP address is collected, the website owner must have asked for approval, which is same as in the Netherlands (German Cookie Law, 2015). When analyzing the current information it seems that the German law is not that different as the Dutch act or what is mentioned in the EU directive. It could be said though that the EU directive is stricter than the German law due to the fact that the EU directive requires permission when data is stored, this does not need to be personal data only. However in the Facebook case the German law stand out as very strict (German Cookie Law, 2015).
Facebook announced in 2014 that as of January first 2015 the privacy setting would change. They will have access to the information of a person using a particular app or another website. This information they use to advertise better on the user’s profile on Facebook (Eg, 2014). Since the headquarter of Facebook is established in Ireland, the European privacy law is binding for all EU countries. However the highest judge in Germany decided that due to the fact that all the Facebook information goes to a server in the USA, the privacy law of the USA should be binding. However because of the fact the USA is not part of the EU, Germany can decide for itself how to protect its citizens (Kruidhof, 2014). What is comes down to is that due to this decision the Germany users of Facebook can protect themselves through the privacy settings of the fact that their name and profile picture cannot be placed on another timeline as a form of advertising. Furthermore are German Facebook users given the power to not give up their right on their own pictures and video’s (Eg, 2014). The reason why Dutch citizens are not protected the same as the German is caused by the Dutch government who uses the EU law when it comes to Facebook. The Dutch government however is working on a new bill which should give the organization that protects Dutch data more power, for example fining Facebook for misuse. Unfortunately until now this is not the case and they are only allowed to warn companies, which according to Jacob Kohnstamm, director of the CBP, the advisory board of the protection of data is convinced that big companies such as Facebook will not be scared by a fine (Kruidhof, 2014).
United Kingdom and Ireland
As seen until now is that all EU countries must find a way to implement the EU directive into national legislation. Ireland did this at the simplest way possible to ensure some of the biggest online companies to keep their headquarter in Ireland. Where the EU directive says that there must be an option (pop-up in most cases) to give consent of the use of a person’s data, the Irish cookie law says that this permission does not have to be explicit but could be initiated. This means that citizens in Ireland could give consent through their website browser in the privacy settings. This setting is than leading for all website and keeps companies from writing pages about the use of data on their website (Irish Cookie Law, 2015).
As of May 2012 the British government implemented and new privacy act in harmony with the EU directive. The new privacy act states that all British websites should get a consent first before making use of cookies at their website. This means that the British citizens have control over their own data, due to the fact that every time they visit a new website and they have to give their consent. The information commissioner’s office (ICO) is and organization within the United Kingdom which are responsible of enforcement of the privacy law and are given the competence to fine companies for not complaining with the rules, fines could rise up to ‘500.000 (Delfgaauw, 2012).
France
France is the only country so far that hasn’t made a definite act yet about how citizens must be protected against companies making use of their data. Currently France is working on a new bill that users of internet should change their privacy setting in the particular browser, the same as in Ireland. Until this bill is passed companies should have a definite warning when entering a website with the fact that they make use of cookies. Citizen could then give their consent or not. The current option seems to be more in line of what the EU directive states, since internet users get the warning when visiting a website (Delfgaauw, 2012).
Spain
Next country is Spain, in Spain companies need to get permission from the internet user before cookies can be placed. This precisely means that internet users need to change their settings in the internet browser. However in Spain internet users must have to possibility to define different sort of cookies. The only problem is that most internet browsers do not give the options to change only a particular cookie, therefore they can only make standard changes. The Spanish government believes that all information that is given and the removal of this information must be simple for the internet user. This last action must be completed by the companies and organizations that want to make use of cookies (Delfgaauw, 2012).
Belgium
Last country that will be examined is Belgium. The cookie act in Belgium is similar to the one in the Netherlands. There are two main points that came out of the cookie act, first is that internet users must be informed of the use of cookies, this could be done by stating it in the privacy statement on the website. Second is that visitors of the website must give a consent with the use of cookies. This means that every new visitor on the website will need to see a clear statement and know that when ignoring the statement they give their consent (Maes, 2014).
Conclusion
The conclusion of comparing the above privacy acts it that all countries comply with the directive as made by the European Union. However not all countries are that strict, Ireland, France and Spain have the least strict policy concerning cookies. All that is acquired is a change in the browser setting, the negative note to this is that not all internet users could be aware of this and therefore do not know that their data is being uses. The Netherlands, Germany, UK and Belgium have a more clear policy. Every internet user visiting a particular website will get a warning about the use of cookies and they must give their consent. When they not give their consent it means that companies and organizations cannot use the data that is left behind.