Israeli cos must beware new EU online privacy laws

Prof. Van Eecke Photo: Eli Yizhar
Prof. Van Eecke Photo: Eli Yizhar

DLA Piper Partner Prof. Patrick Van Eecke warns Israeli companies that online privacy violations could costs billions of dollars in fines.

New EU legislation purports to revolutionize privacy and the way in which organizations owning data bases are managed. Anchoring the right to erase information or the obligation to inform the regulator about the hacking of a data base are only some of the new instructions. The more major innovation in this legislation is the teeth given to the regulator responsible for data bases in Europe - powers to impose fines of up to 4% of global revenue of the companies that violate the instructions granted to every data protection authority in every EU country.

The new legislation is presumably preoccupying the executives of the Internet giants and should also concern Israeli entrepreneurs, because in practice the law will affect practically everybody operating on the Internet. Meanwhile governments, which have permitted themselves extensive powers to act and spy on our online activities, as they please, have nothing to worry about.

The EU laws for data base protection have existed for more than 20 years but have not undergone much change until very recently. This was probably because the issue was not of any high priority in terms of regulation until recently, explains DLA Piper Partner Prof. Patrick Van Eecke. An eminent expert in the field of protection of privacy, he heads the global firm's Internet law group and co-chairs its e-business practice. Prof. Van Eecke spoke to "Globes" during a recent visit to Israel to participate in a conference organized by DLA Piper together with leading Israeli law firm Yigal Arnon & Co.

He said, "The new regulations are comprehensive and innovative and they can be called second generation. They were enacted from a perspective that there will be the regulations for the next 20 years. The legislation takes into account topics such as 'big data analytics' (algorithms researching the vast amount of information found on the Internet to identify patterns of behavior, correlations and preference of customers, among other things, for the purposes of business intelligence, 'profiling' (for example the assumption that a person who is interested in soccer is also interested in beer), social networks and the links between these areas that influence privacy."

Punitive powers

Before delving into the details of "what is prohibited and what is permitted" according to the new European legislation, it is worth dwelling on one of the most impressive details of the process promoted by the EU, that is perhaps one of the greatest dramas coming out of it the unprecedented sanctions allowed by the new legislation. "Data base authorities have for the first time been given punitive powers, which is comparable to the powers of bodies like the business antitrust authorities in Europe," explains Van Eecke. "As well as the option of imposing financial sanctions of up to €20 million or 4% of the annual revenue of the offending corporation, whichever is the larger, with the 4% deriving from the income of the entire corporation - that is to say in global terms."

Van Eecke demonstrates the size of the drama by applying the rule of the Microsoft case. "Take, for example, the situation in which Microsoft violates the regulations in Malta, or Luxembourg, or any other small country in the EU - the Authority for protecting data bases in that country will be able of imposing on Microsoft a fine of up to 4% of global revenue. In 2015, Microsoft's revenue was around $100 billion, so that means up to $4 billion could be imposed for one violation this is almost unprecedented powers."

That's a large amount of money. Who would receive such an amount in such a case?

"The money will go to the country that is imposing the sanctions, including those small countries for which such sums is a large amount of money in their terms. It is reasonable to assume that this is a matter that will cause legal advisors and directors to lose sleep." Van Eecke says that the new legislation came into effect last May but includes a "grace period" of two years so that the date it will come into force is May 2018.

The right to be forgotten

The new legislation includes many instructions regarding the way to manage and maintain data bases. One of the fundamental principles expressed in the new legislation is "the right to be forgotten" in the practical sense. The applicability of the right is reflected when a person's personal details are collected by a third party managing a data base (in other words all of us) and the right is given to demand that the third party erase all the information about him.

Can you explain the practical significance would closing a Facebook account mean that the social network would erase information held about me?

"The basic answer is yes, but there are a number of exceptions to this. One exception regards application of the agreement between the parties if there is a signed agreement with the third party, and protecting information is vital to complying with the agreement, then the third party can continue holding the information; another exception is a situation in which keeping the information is required for protection against a lawsuit that the customer might file against the owner of the data base. There is a limited number of other exceptions but the general principle is that closing an account must bring about the erasure of personal information."

One of the biggest problems regarding data bases is the concern about hacking into them. "The legislation in the field of data bases enacted decades ago included the right to protect in a reasonable manner information kept in a data base from hacking, theft or various manipulations and that remains in effect," explains Van Eecke. He said that the major innovation in the field of data base protection in the new European legislation relates to the obligation to notify about the hacking of a data base. "From the moment that the owner of a data base discovers that the data has been hacked, he has 72 hours to reveal to the data protection authority about the break in," he explains.

We tend to think that the most bitter enemies of the protection of information are governments themselves. Will governments be permitted a "back door" to collect information about us?

"Governments must also comply with the legislation and they have allowed themselves an extensive field of operation for this purpose. In order to gather information about an individual, the owner of the data base is required to present some sort of legal basis for collecting information. This basis can be consenting, such as an agreement given by users to various Internet services registered for service, to collect information about them.

"One opening that the authorities left themselves is a situation in which there is a specific law in effect in a country authorizing whatever authority to gather information and in such an instance there is no need for agreement. Therefore, for EU countries it will be relatively easy to enact laws allowing them to collect data about citizens."

Prof. Van Eecke explains that the new legislation does not relate to the exchange of data between various authorities but the regulations of the EU permit member countries to exchange information with each other, so it is possible to estimate that information held by the investigative authority in France will become available if needed to its counterpart in Germany.

"The aim of the Europeans is to create a legislative regime that will apply to international businesses."

As befits a country whose intelligence authorities have become a Hollywood legend, and whose high-tech industries rest to a great extent on the professional training of the military units dealing with the monitoring of millions of people throughout the Middle East and beyond Israel has become in recent years, to a large extent, a major power in gathering information about Internet and cellular users.

Many Israeli ventures are often based on business models that ignore the grave concerns about harming privacy. How come? Dozens and perhaps hundreds of Israeli companies provide free services in exchange for a user agreement that allows their software to gather data about the user’sir preferences, age, gender, physical location, fondness for a certain color of hair, detective stories or fine literature, cakes with or without cream, feelings towards the color orange and more. All of us agree to be interrogated without our knowledge when we agree to download free software, an add-on that allows the browser performance or entertainment app to continue working even when we are not operating it.

So how will the new European legislation influence Israeli entrepreneurs?

Van Eecke said, "The reader or Israeli shareholder will perhaps read the details and think 'how does this affect me? Why should the EU legislation bother me?' But the reality of the new legislation has many influences, through several channels of application. The first channel is through the company's country of incorporation. It is enough that the company has some sort of subsidiary or company linked through its chain incorporated in one of the European countries, and the new legislation applies to them."

"Another channel is the service that is provided in any area products or services to users in Europe. If you serve somebody in Europe the law applies to you in those countries in which the users are found. The intention of the decision makers in European countries was to create a legislative regime that would apply to 99% of the businesses operating internationally and there is no doubt that that will be the case."

Harmonization of the law

Adv. Yoheved Novogroder-Shoshan, Special Counsel to Yigal Arnon & Co., who specializes in IP, protection of privacy and Internet deals, believes that the influence on Israeli companies won't necessarily be negative. "The fact that Israeli companies are in touch with communities throughout the world means that they are subject to instructions in the policies of the different countries in which they operate.

Adv. Novogroder-Shoshan adds that, "In recent years we see that the legislation in one country comes into line following legislation in another country until harmonization of the law is created. Therefore, it seems that in the coming years, even though there is a lot of new legislation in various countries, the rules will actually become clearer."

An additional tool that the European legislator requested to add to the legislation is a stricter definition of the agreement that we give to all the software and apps to rummage through our devices and our preferences. So for example, if in the past we could click on the "next" button, by which we approve the small print that "we have read the conditions of use and agree to them," today an active and positive act of agreement is required, such as pressing for ourselves on a button which makes clear in a prominent manner that we are handing over an agreement to collect information about us.

Although there are many regulations expanding the due diligence to users and the obligation to receive the consent of users ahead of time, Van Eecke also thinks that the average customer will continue to be indifferent to the intrusion of his privacy even after implementation of the changes. "I agree that the typical customer, eager to download software, will continue quickly clicking until he has obtained what he is looking for," he said, "Ultimately, users also have responsibility for their online behavior."

Published by Globes [online], Israel business news - www.globes-online.com - on August 28, 2016

© Copyright of Globes Publisher Itonut (1983) Ltd. 2016

Prof. Van Eecke Photo: Eli Yizhar
Prof. Van Eecke Photo: Eli Yizhar
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018