EU data protection as a fundamental right<\/h3>\n\n\n\n
Recognized in Article 7 and 8 of the EU Charter of Fundamental Rights<\/a> is the respect for private life<\/strong> and for the protection of personal data<\/strong>.<\/p>\n\n\n\n The landscape of EU data protection across the continent is built upon these \u201cindivisible, universal values,\u201d and are essentially made up of two different EU privacy laws: the ePrivacy Directive<\/strong> (ePD) and the General Data Protection Regulation<\/strong> (GDPR).<\/p>\n\n\n\n These European privacy laws regulate how data is allowed to be collected, processed and stored.<\/p>\n\n\n\n They empower individuals within the EU with the certain rights, e.g. the right of prior consent<\/strong> before having their data processed, right of access<\/strong> to their collected data and the right of erasure<\/strong> of their collected data.<\/p>\n\n\n\n Today, the EU privacy laws have created a landscape of data privacy that website owners across the world have to comply with, if they offer services to the EU.<\/p>\n\n\n\n The GDPR has an extra-territorial scope<\/strong>, which means that it applies to any domain in the world, so long as they have visitors from the EU.<\/p>\n\n\n\n A website in the US needs to comply with the GDPR and its requirement of having a legal basis for processing personal data, if that website has users from and\/or offer services to the EU.<\/p>\n\n\n\n To ensure compliance with the European privacy laws, Cookiebot CMP<\/a> offers a complete consent solution<\/strong> that scans your website, finds all cookies and similar technology, informs with full transparency the end-user of how their data will be processed, and so enables them to decide their choice of consent for what of their data they wish to share and with whom.<\/p>\n\n\n\n Cookiebot CMP<\/a> enables compliance with both the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD).<\/p>\n\n\n\n Try Cookiebot CMP for free today<\/a>... or forever if you have a small website.<\/p>\n\n\n\n Because of the extra-territorial reach of the GDPR, websites in the US who offer services to and have visitors from the EU are required to become compliant with the EU privacy law.<\/p>\n\n\n\n EU data protection through the GDPR defends the right of prior consent for anyone in the Union, regardless of whether that individual is an EU citizen or not. Data subjects<\/strong> are, according to the GDPR, any individual who happens to be within the European Union.<\/p>\n\n\n\n The (extra) territorial scope of the GDPR has three principles.<\/p>\n\n\n\n The GDPR applies:<\/p>\n\n\n\n Personal data<\/strong> \u2013 also known as personally identifiable information \u2013 includes first<\/strong> and last names<\/strong>, e-mail addresses<\/strong>, geolocation<\/strong> and browser history<\/strong>, among many others.<\/p>\n\n\n\n Cookiebot CMP<\/a> enables true compliance with the European privacy laws through a consent solution for websites around the world. If you have under 50 subpages, you can use Cookiebot CMP for free.<\/p>\n\n\n\n Try Cookiebot CMP now for real compliance with the European privacy laws<\/a>.<\/p>\n\n\n\n Part of the EU data privacy framework is the restriction of the transfer of personal data<\/strong> to countries outside of the EU, unless the country has been deemed to have an adequate level<\/strong> of personal data protection.<\/p>\n\n\n\n Compared to EU data privacy law, the US lacks comprehensive federal legislation equivalent to the ePD and GDPR and is not recognized as having an adequate level<\/strong>. In fact, the US is virtually the only developed nation<\/a> without a comprehensive consumer data protection law and an independent agency to enforce it.<\/p>\n\n\n\n That\u2019s why the US Privacy Shield<\/a> is set up as a way for US businesses and organizations to obtain an adequacy agreement with the EU, allowing free data transfers between the US and EU.<\/p>\n\n\n\n The US Privacy Shield program<\/a> enables US-based companies \u201cto join the Privacy Shield Framework in order to benefit from the adequacy determinations\u201d, which means that certified US companies are empowered to transfer and process data without restrictions with the EU.<\/p>\n\n\n\n In the wake of the strong EU privacy laws, some states in the US have begun to pass data protection legislation to protect US consumers and users.<\/p>\n\n\n\n The California Consumer Privacy Act (CCPA<\/a>) will be the first state-wide law to empower Californian users with rights similar to the GDPR, however without important legal bases for processing of personal data, such as that of prior consent.<\/p>\n\n\n\n Take a look at our GDPR vs CCPA comparison here<\/a>.<\/p>\n\n\n\n The California Consumer Privacy Act took effect on January 1, 2020.<\/p>\n\n\n\n Read more about the CCPA here<\/a>.<\/p>\n\n\n\n The first half of the European data protection landscape is the ePD<\/strong>.<\/p>\n\n\n\n The ePrivacy Directive is an older legislation \u2013 a directive<\/em> that mandates each EU member state to pass their own national laws in correspondence.<\/p>\n\n\n\n It came into effect in 2002 and was amended in 2009.<\/p>\n\n\n\n The ePrivacy Directive was created to harmonize the national protections of the fundamental rights<\/strong> of freedoms of the peoples of Europe, in particular the right to privacy and confidentiality, as well as the free movement of data.<\/p>\n\n\n\n It is also a specifically sectoral<\/strong> directive that concerns the free movement of data and the right to privacy concerning the flow of data in the European electronic communications sector.<\/p>\n\n\n\n It applies to the processing of data in connection with publicly available electronic communications services in the EU<\/em>.<\/p>\n\n\n\n Read the official ePrivacy Directive legislation<\/a>.<\/p>\n\n\n\n The ePD<\/strong> speaks about different things concerning the EU electronic communications sector (such as its Article 7 on itemized billing), but it is particularly its Article 5 that is of interest to website owners looking to ensure that their processing of data is compliant with the European privacy laws.<\/p>\n\n\n\n In its Article 5<\/strong>, the ePrivacy Directive (ePD) directs the 27 EU member states to ensure that the storage of information or the gaining of access to information already stored on users\u2019 devices, is only allowed on condition that the user has given their consent<\/strong>, having been provided with clear and comprehensive information about the purposes of the processing.<\/p>\n\n\n\n In Recital 17<\/strong> of the ePrivacy Directive, it is further specified that consent can be given by any appropriate method, \u201cincluding ticking a box when visiting an Internet website\u201d.<\/p>\n\n\n\n This is where cookie consent banners come from, and also why the ePD eventually got its nickname \u201cthe EU cookie law<\/a>.\u201d<\/p>\n\n\n\n This half of the EU data privacy laws \u2013 the ePrivacy Directive \u2013 tells websites that if they process data in the EU, they must first inform the users and obtain their consent.<\/p>\n\n\n\n On October 1, 2019, the highest legal entity of the EU, the Court of Justice of the European Union<\/strong> (CJEU), ruled in the case of a German online gaming company, that the only form of valid consent for processing user data in the EU is explicit consent, i.e. consent that is actively and specifically given by the website users by e.g. ticking a box.<\/p>\n\n\n\n Inform yourself on the ruling by the EU Court of Justice (CJEU)<\/a> on what constitutes valid consent in the European Union.<\/p>\n\n\n\n The second half of the EU data protection landscape is the GDPR<\/strong>.<\/p>\n\n\n\n The GDPR is a newer, broader law \u2013 a regulation<\/em> that automatically is uniform law in all 27 member states (also known in legal terms as a lex generalis<\/em>).<\/p>\n\n\n\n It took effect in May 2018.<\/p>\n\n\n\n Read the official GDPR law text<\/a>.<\/p>\n\n\n\n The GDPR regulates EU data protection only when it comes to personal data<\/em>, while the ePrivacy Directive deals with all data. However, the GDPR operates on a much more general level than the ePD that is, as mentioned, specific to the electronic communications sector.<\/p>\n\n\n\n The GDPR is general in the sense that it deals with a wide variety of areas of data processing, such as data minimization, anonymization and pseudonymization, data breaches and secure data storage.<\/p>\n\n\n\n Read more about GDPR software as solutions<\/a> to the different GDPR requirements.<\/p>\n\n\n\n On May 4, 2020, the European Data Protection Board (EDPB)<\/a> issues guidelines on valid consent in the EU. They clarify what does and does not constitute a valid user consent for the processing of personal data.<\/p>\n\n\n\n EDPB guidelines<\/a> specify that scrolling and continued use of a website is not considered valid consent, cookie banners are not allowed to have pre-ticked checkboxes and cookie walls are a non-compliant way of obtaining consent.<\/p>\n\n\n\n Learn more about the EDPB guidelines on valid consent.<\/a><\/p>\n\n\n\n The GDPR, in its Article 5<\/a>, spells out how personal data is allowed to be processed, collected and stored.<\/p>\n\n\n\n Among the principles relating to processing are that it be:<\/p>\n\n\n\n Websites trying to become compliant with the GDPR must inform their users through both a privacy policy and a declaration of what cookies and trackers are in use to process their personal data.<\/p>\n\n\n\n In its Article 6<\/a>, the GDPR lays out six legal bases<\/strong> for lawful processing of personal data of data subjects in the EU.<\/p>\n\n\n\n If your website processes personally identifiable information of individuals in the EU (known in the GDPR as data subjects<\/strong>), it has to be done on one of the following legal grounds:<\/p>\n\n\n\n Most websites process personal data in the EU by obtaining the consent of their users prior to the processing<\/strong> of their personal data.<\/p>\n\n\n\n This is typically done through a consent banner<\/strong> like the one showed above, also mandated by the ePrivacy Directive.<\/p>\n\n\n\n To be compliant with the GDPR\u2019s consent basis for processing, your website will need to \u2013<\/p>\n\n\n\n Try Cookiebot CMP free for GDPR and ePD compliance<\/a><\/p>\n\n\n\n Although an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict a between the EU privacy laws. So says the European Data Protection Board (EDPB) on the issue of the convergence of the ePD and GDPR.<\/p>\n\n\n\n The ePD has a specific focus, contrary to the GDPR\u2019s broad and general focus. The ePD deals particularly with the right to privacy<\/strong> and the right to freedom of communication<\/strong> \u2013 two of the fundamental rights in the EU Charter of Fundamental Rights (Article 8) \u2013 but is e-coms sectoral.<\/p>\n\n\n\n The GDPR, on the other hand, deals in general with the rules around processing data, however only personal data<\/strong>.<\/p>\n\n\n\n It mandates not only electronic communication services but companies, organizations and institutions to obtain one of six legal bases prior to any processing of personal data, as well as controlling what conditions need be in place for the secure storage of that data, and much more.<\/p>\n\n\n\n When it comes to the interplay between the European privacy laws, the EDPB \u2013 in a general sense \u2013 says that what the GDPR speaks about, the ePD elaborates and specifies<\/strong>.<\/p>\n\n\n\n Read the EDPB\u2019s opinion of the interplay<\/a> between the ePD and GDPR.<\/p>\n\n\n\n In other words, the difference between the ePrivacy Directive (ePD<\/a>) and the General Data Protection Regulation (GDPR<\/a>) is namely that the former is specific on the issues that the latter is general about.<\/p>\n\n\n\n Compliance with the EU privacy laws means that websites across the world \u2013 if they offer services to users within the EU \u2013 must obey the legal framework created by the ePD and GDPR.<\/p>\n\n\n\n![\"Arial](\"\/media\/3747\/tomek-kaczmarek-d2lt3c32-c4-unsplash.jpg?width=500&\")
EU data protection in the US<\/h2>\n\n\n\n
\n
International data transfer and EU data protection<\/h3>\n\n\n\n
![\"Snow](\"\/media\/3748\/joel-jasmin-forestbird-tbhn4n0q6bm-unsplash.jpg?width=500&%20data-udi=\")
EU data protection vs California Consumer Privacy Act (CCPA)<\/h3>\n\n\n\n
ePrivacy Directive (ePD)<\/h2>\n\n\n\n
ePrivacy Directive on EU data protection<\/h3>\n\n\n\n
![\"Cookieboot](\"\/media\/4333\/consent_en.png?width=500&\")
General Data Protection Regulation (GDPR)<\/h2>\n\n\n\n
EDPB guidelines on valid consent<\/h3>\n\n\n\n
GDPR on EU data protection<\/h3>\n\n\n\n
\n
\n
\n
The interplay of the European privacy laws<\/h2>\n\n\n\n
![\"Mountain](\"\/media\/3750\/philipp-schlabs-2gtn4lcifna-unsplash.jpg?width=500&%20data-udi=\")