E@ECIPE
🔵 "Evidence proves that services do not weigh down on the economy. On the contrary, there is potential for services… https://t.co/UOhXNE5sbART Michał Boni @MichalBoni: On June 2 at 4:00 am I will lead the conference @connectsmes-What holds the future of #plaform regulation? Take pa… https://t.co/7FnyBg3qxa#Huawei role in #5G and the rise in patent applications suggests 🇨🇳 is ready to lead #digital #innovation. Yet, th… https://t.co/pbAnrRmqxiRT Marion Jansen @MJansenEcon: We are starting to publish findings from the first wave of the @ITCnews #Covid19 Business Impact Survey. Worrying f… https://t.co/qsIouRgSIeRT Marie Audren @AUDREMAR: @ECIPE trade seminar Who will be next #WTO DG? That will keep us busy, whispering names...'let's avoid burning cand… https://t.co/DST8MiTa7t
  • FOLLOW ECIPE
x
Browse

Database

Browse Database
Restrictions on data

EUROPEAN UNION

Since 1995
Since May 2018

Chapter Data policies  |  Sub-chapter Sanctions for non-compliance
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data - Art. 24

General Data Protection Regulation (Regulation 2016/679)
Tthe General Data Protection Regulation (GDPR), which entered into force in May 2018, introduces burdensome administrative fines that can be imposed by the supervisory bodies. The upper limits for these fines are:
- EUR 10,000,000, or 2% of the infringing organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's obligations on data controllers, data processors, certification bodies, and monitoring bodies.
- EUR 20,000,000, or 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's principles on data processing (including conditions for consent), data subject's rights, data transfer to third countries and international organizations, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.
Coverage Horizontal
Restrictions on data

EUROPEAN UNION

Since August 2016

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Network Information Security (NIS) Directive
The Network Information Security (NIS) Directive requires that an operator of an essential service relying on the service of a digital service provider for the provision of an essential service must notify the relevant authority of any incident affecting the digital service provider which has a 'significant impact' on the continuity of the essential service. “Digital service providers” include to online marketplaces, online search engines, and cloud computing services. The NIS applies to essential service providers and digital service providers with more than 50 employees or an annual balance sheet over 10 millon EUR.

The Directive was adopted by the European Parliament on July 6th 2016 and entered into force in August 2016. Member states have 21 months to transpose the directive into their national laws and 6 months more to identify operators of essential services.
Coverage "Essential services providers" and "digital services providers"
Restrictions on data

EUROPEAN UNION

Reported in January 2017

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (e- Privacy Regulation)
The proposed EU's e-Privacy Regulation stipulates that firms must inform users of security risks when they identify them and, if the risk "lies outside the scope of the measures to be taken by the service provider", inform them of the remedies that users can take and provide an indication of the likely costs involved. As a result of this requirement, firms that are not able to remedy security risks timely would put themselves at greater risk in disclosing the vulnerabilities of their system to their users, increasing the risk of data breaches by actors capable of exploiting them. This is the case, for example, if information on security risks is leaked to the wider public.
Coverage Horizontal
Restrictions on data

EUROPEAN UNION

Since 2002
Since June 2013
Since March 2014
Since May 2018
Reported in January 2017

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
Directive 2002/58/EC (e-Privacy Directive)

Regulation 611/2013

Opinion 03/2014 on Personal Data Breach Notification

General Data Protection Regulation (Regulation 2016/679)

Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (e- Privacy Regulation)
According to the e-Privacy Directive (Directive 2002/58/EC) and Regulation 611/2013, personal data breaches in electronic communication services must be notified to the competent national authority. Notification to the authority shall be done no later than 24 hours after the detection of the personal data breach where feasible, extensible to 72 hours in some cases. When the personal data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller shall also notify the data subject of the breach without undue delay.

An opinion adopted by the Working Party 29 on 25 March 2014 expanded the personal data breach notification requirement in the e-Privacy Directive to controllers beyond electronic communication providers. The General Data Protection Regulation, effective since May 2018, enshrines this measure into EU law.

The proposed e-Privacy Regulation will replace the e-Privacy Directive. It is currently unclear how the overall regime will change as a result.
Coverage Electronic communications services and other controllers
Restrictions on data

EUROPEAN UNION

Since May 2018

Chapter Data policies  |  Sub-chapter Administrative requirements on data privacy
General Data Protection Regulation (Regulation 2016/679)
Since May 2018, the General Data Protection Regulation requires that organizations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale, must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States imposing such requirements also on private companies.
Coverage Horizontal
Restrictions on data

EUROPEAN UNION

Since May 2014

Chapter Data policies  |  Sub-chapter Personal rights to data privacy
C-131/12 - Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González
In May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if "the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed". The ruling is therefore recognizing the so-called right to be forgotten.
Coverage Search engines
Restrictions on data

EUROPEAN UNION

Since May 2018

Chapter Data policies  |  Sub-chapter Personal rights to data privacy
General Data Protection Regulation (Regulation 2016/679)
The General Data Protection Regulation enshrines the right to be forgotten under the "right to erasure", stipulating that this right should be enforced "without undue delay". Finally, should the controller have made the personal data public, it has to erase the personal data, and take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure of the data.
Coverage Horizontal
Restrictions on data

EUROPEAN UNION

Since May 2018

Chapter Data policies  |  Sub-chapter Personal rights to data privacy
General Data Protection Regulation (Regulation 2016/679)
The General Data Protection Regulation (GDPR), entered into force in May 2018, stipulates that "consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement". These requirements are stricter than the previous regime in the sense that pre-ticked boxes or inactivity cannot be considered consent (Recital 32). Furthermore, "consent should cover all processing activities carried out for the same purpose or purposes", and therefore the user has to provide separate consent for separate purposes of processing. In addition, the consent must be withdrawable.
Coverage Horizontal
Restrictions on data

EUROPEAN UNION

Since 2002

Chapter Data policies  |  Sub-chapter Data retention
Directive on privacy and electronic communications - Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
According to the Directive 2002/58/EC, traffic and location data generated by using electronic communications services must be erased or made anonymous when no longer needed for the purpose of the transmission of a communication, except for the data necessary for billing or interconnection payments.
Coverage Horizontal
Restrictions on data

EUROPEAN UNION

Since May 2018

Chapter Data policies  |  Sub-chapter Data retention
General Data Protection Regulation (Regulation 2016/679)
The General Data Protection Regulation prohibits the retention of records containing personal data for a period longer than is necessary for achieving the purposes for which the personal data were collected or subsequently processed.
Coverage Records containing personal data
Restrictions on data

EUROPEAN UNION

Since 2006

Chapter Data policies  |  Sub-chapter Data retention
Data Retention Directive 2006/24/EC

Judgment European Court of Justice in Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others
Under the Data Retention Directive, operators were required to retain certain categories of traffic and location data for a period between six months and two years. In addition, they were required to make the retained data available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.
Coverage Telecommunication sector
Restrictions on data

EUROPEAN UNION

Since May 2018

Chapter Data policies  |  Sub-chapter Restrictions on cross-border data flows
General Data Protection Regulation (Regulation 2016/679)
The EU's General Data Protection Regulation (GDPR), entered into force in May 2018, expands considerably the scope of EU privacy rules. In addition to companies established in the EU, the Regulation applies extra-territorially to companies offering goods or services to data subjects in the EU and companies that monitor the behavior of EU citizens (Art. 3).

The Regulation mandates that data is freely allowed to flow outside the European Economic Area (EEA) only in certain circumstances listed in Chapter 5 of the Regulation. The main conditions for such a transfer are the following: the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or, the transfer is necessary for the performance of a contract between the data subject and the controller.

The GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. Currently, 12 jurisdictions have been deemed adequate: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Jersey, the Isle of Man, Israel, New Zealand, Switzerland and Uruguay. In addition, the EU/US Privacy Shield acts as a self-certification system open to certain US companies for data protection compliance.
Coverage Horizontal