Updated February 3, 2020.
The European privacy laws controlling the flow of data on the EU continent today form the strongest data protection framework in the world. Their force and the rights they empower individuals with are peaks above existing legislation – and a clear inspiration for emerging data laws around the world.
In this article, all things European. How do the European privacy laws work and where do they overlap? Why do they also affect US websites and how can you become compliant?
Today in the European Union, the flow of data is recognized as an area of life that needs legal regulation.
Combined, the EU privacy laws form the data protection requirements that most websites owners and operators in the world are familiar with by now: the need for consent banners by which websites can inform users of the cookies and similar tracking technology they use, and obtain the consent of their end-users for legal processing of their data.
The cookie banner, if you didn’t know, is a European invention!
The public understanding of data is changing radically these years, as we begin to understand that data is not merely numbers in machines, but exhaust of our private, inner lives that is being used to undermine our personal autonomy and social freedoms in myriad ways.
Targeted advertisement through tracking on websites is an issue, but perhaps the least of problems considering our recent understanding of data’s apparent ability to disrupt fair elections and undermine basic, legal rights.
The processing of data, most people who don’t lobby for the ad tech industry agree, needs stronger and clearer regulation.
Recognized in Article 7 and 8 of the EU Charter of Fundamental Rights is the respect for private life and for the protection of personal data.
The landscape of EU data protection across the continent is built upon these “indivisible, universal values,” and are essentially made up of two different EU privacy laws: the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR).
These European privacy laws regulate how data is allowed to be collected, processed and stored.
They empower individuals within the EU with the certain rights, e.g. the right of prior consent before having their data processed, right of access to their collected data and the right of erasure of their collected data.
Today, the EU privacy laws have created a landscape of data privacy that website owners across the world have to comply with, if they offer services to the EU.
The European privacy laws extend far beyond the geographical borders of the EU.
The GDPR has an extra-territorial scope, which means that it applies to any domain in the world, so long as they have visitors from the EU.
A website in the US needs to comply with the GDPR and its requirement of having a legal basis for processing personal data, if that website has users from and/or offer services to the EU.
To ensure compliance with the European privacy laws, Cookiebot offers a complete consent solution that scans your website, finds all cookies and similar technology, informs with full transparency the end-user of how their data will be processed, and so enables them to decide their choice of consent for what of their data they wish to share and with whom.
Cookiebot enables compliance with both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD).
Because of the extra-territorial reach of the GDPR, websites in the US who offer services to and have visitors from the EU are required to become compliant with the EU privacy law.
EU data protection through the GDPR defends the right of prior consent for anyone in the Union, regardless of whether that individual is an EU citizen or not. Data subjects are, according to the GDPR, any individual who happens to be within the European Union.
The (extra) territorial scope of the GDPR has three principles.
The GDPR applies:
Personal data – also known as personally identifiable information – includes first and last names, e-mail addresses, geolocation and browser history, among many others.
Cookiebot enables true compliance with the European privacy laws through a consent solution for websites around the world. If you have under 100 subpages, you can use Cookiebot for free.
Part of the EU data privacy framework is the restriction of the transfer of personal data to countries outside of the EU, unless the country has been deemed to have an adequate level of personal data protection.
Compared to EU data privacy law, the US lacks comprehensive federal legislation equivalent to the ePD and GDPR and is not recognized as having an adequate level. In fact, the US is virtually the only developed nation without a comprehensive consumer data protection law and an independent agency to enforce it.
That’s why the US Privacy Shield is set up as a way for US businesses and organizations to obtain an adequacy agreement with the EU, allowing free data transfers between the US and EU.
EU data protection compliance extends from the European Alps to the US.
The US Privacy Shield program enables US-based companies “to join the Privacy Shield Framework in order to benefit from the adequacy determinations”, which means that certified US companies are empowered to transfer and process data without restrictions with the EU.
In the wake of the strong EU privacy laws, some states in the US have begun to pass data protection legislation to protect US consumers and users.
The California Consumer Privacy Act (CCPA) will be the first state-wide law to empower Californian users with rights similar to the GDPR, however without important legal bases for processing of personal data, such as that of prior consent.
The California Consumer Privacy Act takes effect on January 1, 2020.
The first half of the European data protection landscape is the ePD.
The ePrivacy Directive is an older legislation – a directive that mandates each EU member state to pass their own national laws in correspondence.
It came into effect in 2002 and was amended in 2009.
The ePrivacy Directive was created to harmonize the national protections of the fundamental rights of freedoms of the peoples of Europe, in particular the right to privacy and confidentiality, as well as the free movement of data.
It is also a specifically sectoral directive that concerns the free movement of data and the right to privacy concerning the flow of data in the European electronic communications sector.
It applies to the processing of data in connection with publicly available electronic communications services in the EU.
The ePD speaks about different things concerning the EU electronic communications sector (such as its Article 7 on itemized billing), but it is particularly its Article 5 that is of interest to website owners looking to ensure that their processing of data is compliant with the European privacy laws.
In its Article 5, the ePrivacy Directive (ePD) directs the 27 EU member states to ensure that the storage of information or the gaining of access to information already stored on users’ devices, is only allowed on condition that the user has given their consent, having been provided with clear and comprehensive information about the purposes of the processing.
In Recital 17 of the ePrivacy Directive, it is further specified that consent can be given by any appropriate method, “including ticking a box when visiting an Internet website”.
This is where cookie consent banners come from, and also why the ePD eventually got its nickname “the EU cookie law.”
A European privacy law compliant consent banner from Cookiebot.
This half of the EU data privacy laws – the ePrivacy Directive – tells websites that if they process data in the EU, they must first inform the users and obtain their consent.
On October 1, 2019, the highest legal entity of the EU, the Court of Justice of the European Union (CJEU), ruled in the case of a German online gaming company, that the only form of valid consent for processing user data in the EU is explicit consent, i.e. consent that is actively and specifically given by the website users by e.g. ticking a box.
Inform yourself on the ruling by the EU Court of Justice (CJEU) on what constitutes valid consent in the European Union.
The second half of the EU data protection landscape is the GDPR.
The GDPR is a newer, broader law – a regulation that automatically is uniform law in all twenty-eight member states (also known in legal terms as a lex generalis).
It took effect in May 2018.
The GDPR regulates EU data protection only when it comes to personal data, while the ePrivacy Directive deals with all data. However, the GDPR operates on a much more general level than the ePD that is, as mentioned, specific to the electronic communications sector.
The GDPR is general in the sense that it deals with a wide variety of areas of data processing, such as data minimization, anonymization and pseudonymization, data breaches and secure data storage.
Read more about GDPR software as solutions to the different GDPR requirements.
The GDPR, in its Article 5, spells out how personal data is allowed to be processed, collected and stored.
Among the principles relating to processing are that it be:
In its Article 6, the GDPR lays out six legal bases for lawful processing of personal data of data subjects in the EU.
If your website processes personally identifiable information of individuals in the EU (known in the GDPR as data subjects), it has to be done on one of the following legal grounds:
Most websites process personal data in the EU by obtaining the consent of their users prior to the processing of their personal data.
This is typically done through a consent banner like the one showed above, also mandated by the ePrivacy Directive.
Another European privacy law compliant consent banner from Cookiebot.
To be compliant with the GDPR’s consent basis for processing, your website will need to –
Although an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict a between the EU privacy laws. So says the European Data Protection Board (EDPB) on the issue of the convergence of the ePD and GDPR.
The ePD has a specific focus, contrary to the GDPR’s broad and general focus. The ePD deals particularly with the right to privacy and the right to freedom of communication – two of the fundamental rights in the EU Charter of Fundamental Rights (Article 8) – but is e-coms sectoral.
The GDPR, on the other hand, deals in general with the rules around processing data, however only personal data.
It mandates not only electronic communication services but companies, organizations and institutions to obtain one of six legal bases prior to any processing of personal data, as well as controlling what conditions need be in place for the secure storage of that data, and much more.
When it comes to the interplay between the European privacy laws, the EDPB – in a general sense – says that what the GDPR speaks about, the ePD elaborates and specifies.
Read the EDPB’s opinion of the interplay between the ePD and GDPR.
The EU data protection landscape spanning the European continent is the strongest in the world.
In other words, the difference between the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR) is namely that the former is specific on the issues that the latter is general about.
Compliance with the EU privacy laws means that websites across the world – if they offer services to users within the EU – must obey the legal framework created by the ePD and GDPR.
Cookiebot makes your website fully compliant with the EU data privacy requirements.