Updated October 27, 2020.
The European privacy laws controlling the flow of data on the EU continent today form the strongest data protection framework in the world. Their force and the rights they empower individuals with are peaks above existing legislation – and a clear inspiration for emerging data laws around the world.
In this article, all things European. How do the European privacy laws work and where do they overlap? Why do they also affect US websites and how can you become compliant?
Become compliant with Cookiebot consent management platform (CMP).
European privacy laws and the landscape they form
Today in the European Union, the flow of data is recognized as an area of life that needs legal regulation.
Combined, the EU privacy laws form the data protection requirements that most websites owners and operators in the world are familiar with by now: the need for consent banners by which websites can inform users of the cookies and similar tracking technology they use, and obtain the consent of their end-users for legal processing of their data.
The cookie banner, if you didn’t know, is a European invention!
The public understanding of data is changing radically these years, as we begin to understand that data is not merely numbers in machines, but exhaust of our private, inner lives that is being used to undermine our personal autonomy and social freedoms in myriad ways.
Targeted advertisement through tracking on websites is an issue, but perhaps the least of problems considering our recent understanding of data’s apparent ability to disrupt fair elections and undermine basic, legal rights.
The processing of data, most people who don’t lobby for the ad tech industry agree, needs stronger and clearer regulation.
Try the free Cookiebot CMP GDPR compliance test to see whether your website lives up to the requirements of the European privacy law.
EU data protection as a fundamental right
Recognized in Article 7 and 8 of the EU Charter of Fundamental Rights is the respect for private life and for the protection of personal data.
The landscape of EU data protection across the continent is built upon these “indivisible, universal values,” and are essentially made up of two different EU privacy laws: the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR).
These European privacy laws regulate how data is allowed to be collected, processed and stored.
They empower individuals within the EU with the certain rights, e.g. the right of prior consent before having their data processed, right of access to their collected data and the right of erasure of their collected data.
Today, the EU privacy laws have created a landscape of data privacy that website owners across the world have to comply with, if they offer services to the EU.
The GDPR has an extra-territorial scope, which means that it applies to any domain in the world, so long as they have visitors from the EU.
A website in the US needs to comply with the GDPR and its requirement of having a legal basis for processing personal data, if that website has users from and/or offer services to the EU.
To ensure compliance with the European privacy laws, Cookiebot CMP offers a complete consent solution that scans your website, finds all cookies and similar technology, informs with full transparency the end-user of how their data will be processed, and so enables them to decide their choice of consent for what of their data they wish to share and with whom.
Cookiebot CMP enables compliance with both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD).
Try Cookiebot CMP for free today… or forever if you have a small website.
EU data protection in the US
Because of the extra-territorial reach of the GDPR, websites in the US who offer services to and have visitors from the EU are required to become compliant with the EU privacy law.
EU data protection through the GDPR defends the right of prior consent for anyone in the Union, regardless of whether that individual is an EU citizen or not. Data subjects are, according to the GDPR, any individual who happens to be within the European Union.
The (extra) territorial scope of the GDPR has three principles.
The GDPR applies:
- if a website, company or organization (data controller or processor) is located within the EU, regardless of whether the processing takes place in the Union or not.
- if personal data is processed on individuals who are in the EU, regardless of where in the world the website, company or organization is located.
- if processing of personal data is taking place outside of the EU, but in a place where Member State law applies by virtue of public international law.
Personal data – also known as personally identifiable information – includes first and last names, e-mail addresses, geolocation and browser history, among many others.
Cookiebot CMP enables true compliance with the European privacy laws through a consent solution for websites around the world. If you have under 100 subpages, you can use Cookiebot CMP for free.
International data transfer and EU data protection
Part of the EU data privacy framework is the restriction of the transfer of personal data to countries outside of the EU, unless the country has been deemed to have an adequate level of personal data protection.
Compared to EU data privacy law, the US lacks comprehensive federal legislation equivalent to the ePD and GDPR and is not recognized as having an adequate level. In fact, the US is virtually the only developed nation without a comprehensive consumer data protection law and an independent agency to enforce it.
That’s why the US Privacy Shield is set up as a way for US businesses and organizations to obtain an adequacy agreement with the EU, allowing free data transfers between the US and EU.
The US Privacy Shield program enables US-based companies “to join the Privacy Shield Framework in order to benefit from the adequacy determinations”, which means that certified US companies are empowered to transfer and process data without restrictions with the EU.
EU data protection vs California Consumer Privacy Act (CCPA)
In the wake of the strong EU privacy laws, some states in the US have begun to pass data protection legislation to protect US consumers and users.
The California Consumer Privacy Act (CCPA) will be the first state-wide law to empower Californian users with rights similar to the GDPR, however without important legal bases for processing of personal data, such as that of prior consent.
The California Consumer Privacy Act took effect on January 1, 2020.
ePrivacy Directive (ePD)
The first half of the European data protection landscape is the ePD.
The ePrivacy Directive is an older legislation – a directive that mandates each EU member state to pass their own national laws in correspondence.
It came into effect in 2002 and was amended in 2009.
The ePrivacy Directive was created to harmonize the national protections of the fundamental rights of freedoms of the peoples of Europe, in particular the right to privacy and confidentiality, as well as the free movement of data.
It is also a specifically sectoral directive that concerns the free movement of data and the right to privacy concerning the flow of data in the European electronic communications sector.
It applies to the processing of data in connection with publicly available electronic communications services in the EU.
ePrivacy Directive on EU data protection
The ePD speaks about different things concerning the EU electronic communications sector (such as its Article 7 on itemized billing), but it is particularly its Article 5 that is of interest to website owners looking to ensure that their processing of data is compliant with the European privacy laws.
In its Article 5, the ePrivacy Directive (ePD) directs the 27 EU member states to ensure that the storage of information or the gaining of access to information already stored on users’ devices, is only allowed on condition that the user has given their consent, having been provided with clear and comprehensive information about the purposes of the processing.
In Recital 17 of the ePrivacy Directive, it is further specified that consent can be given by any appropriate method, “including ticking a box when visiting an Internet website”.
This is where cookie consent banners come from, and also why the ePD eventually got its nickname “the EU cookie law.”
This half of the EU data privacy laws – the ePrivacy Directive – tells websites that if they process data in the EU, they must first inform the users and obtain their consent.
On October 1, 2019, the highest legal entity of the EU, the Court of Justice of the European Union (CJEU), ruled in the case of a German online gaming company, that the only form of valid consent for processing user data in the EU is explicit consent, i.e. consent that is actively and specifically given by the website users by e.g. ticking a box.
Inform yourself on the ruling by the EU Court of Justice (CJEU) on what constitutes valid consent in the European Union.
General Data Protection Regulation (GDPR)
The second half of the EU data protection landscape is the GDPR.
The GDPR is a newer, broader law – a regulation that automatically is uniform law in all 27 member states (also known in legal terms as a lex generalis).
It took effect in May 2018.
The GDPR regulates EU data protection only when it comes to personal data, while the ePrivacy Directive deals with all data. However, the GDPR operates on a much more general level than the ePD that is, as mentioned, specific to the electronic communications sector.
The GDPR is general in the sense that it deals with a wide variety of areas of data processing, such as data minimization, anonymization and pseudonymization, data breaches and secure data storage.
Read more about GDPR software as solutions to the different GDPR requirements.
EDPB guidelines on valid consent
On May 4, 2020, the European Data Protection Board (EDPB) issues guidelines on valid consent in the EU. They clarify what does and does not constitute a valid user consent for the processing of personal data.
EDPB guidelines specify that scrolling and continued use of a website is not considered valid consent, cookie banners are not allowed to have pre-ticked checkboxes and cookie walls are a non-compliant way of obtaining consent.
GDPR on EU data protection
The GDPR, in its Article 5, spells out how personal data is allowed to be processed, collected and stored.
Among the principles relating to processing are that it be:
- in a transparent manner
- collected for specified, legitimate purposes
- limited to what is necessary
- kept in a form which permits identification of data subjects
In its Article 6, the GDPR lays out six legal bases for lawful processing of personal data of data subjects in the EU.
If your website processes personally identifiable information of individuals in the EU (known in the GDPR as data subjects), it has to be done on one of the following legal grounds:
- with the consent of the data subject
- processing necessary for the performance of a contract
- processing necessary for compliance with legal obligations
- processing necessary to protect “vital interests” of the data subject
- processing necessary for tasks carried out in public interest
- processing necessary for purposes of legitimate interests pursued by the controller or by a third party
Most websites process personal data in the EU by obtaining the consent of their users prior to the processing of their personal data.
This is typically done through a consent banner like the one showed above, also mandated by the ePrivacy Directive.
To be compliant with the GDPR’s consent basis for processing, your website will need to –
- obtain clear and unambiguous consent from its users
- prior to any processing of personal data
- after specifying all types of cookies and other tracking technology present and operating on its pages
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies
- to then be able to safely and confidentially document each user consent
- Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
The interplay of the European privacy laws
Although an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict a between the EU privacy laws. So says the European Data Protection Board (EDPB) on the issue of the convergence of the ePD and GDPR.
The ePD has a specific focus, contrary to the GDPR’s broad and general focus. The ePD deals particularly with the right to privacy and the right to freedom of communication – two of the fundamental rights in the EU Charter of Fundamental Rights (Article 8) – but is e-coms sectoral.
The GDPR, on the other hand, deals in general with the rules around processing data, however only personal data.
It mandates not only electronic communication services but companies, organizations and institutions to obtain one of six legal bases prior to any processing of personal data, as well as controlling what conditions need be in place for the secure storage of that data, and much more.
When it comes to the interplay between the European privacy laws, the EDPB – in a general sense – says that what the GDPR speaks about, the ePD elaborates and specifies.
Read the EDPB’s opinion of the interplay between the ePD and GDPR.
In other words, the difference between the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) is namely that the former is specific on the issues that the latter is general about.
Compliance with the EU privacy laws means that websites across the world – if they offer services to users within the EU – must obey the legal framework created by the ePD and GDPR.
Cookiebot CMP makes your website fully compliant with the EU data privacy requirements.
What are the European privacy laws?
The European privacy regime consists of the General Data Protection Regulation (GDPR), the ePrivacy Directive (ePD) and the European Data Protection Board (EDPB) and their guidelines and decisions on enforcement in the EU.
What is the GDPR?
What is the ePrivacy Directive?
The Privacy and Electronic Communications Directive is an EU directive that governs privacy and personal data in regard to electronic communication in the European Union. It was passed in 2002 and amended in 2009 and requires the consent of users for the processing of their personal data, as well as setting out rules for unsolicited e-mails and marketing.
What are the EDPB guidelines on valid consent?
The European Data Protection Board (EDPB) is the leading supervisory authority in charge of GDPR enforcement in the European Union. The EDPB adopts guidelines that direct national data protection authorities on how to enforce the GDPR in each EU member state. The EDPB guidelines on valid consent form May 2020 clarify that scrolling and continued browsing does not constitute valid consent, that cookie banners cannot have pre-selected checkboxes and that cookie walls are non-compliant.