So How’s that New EU Regulation Coming Along?

General Counsel and Chief Privacy Officer

With all the focus on the Russia data localization law, (and if you haven’t taken steps to come into compliance with that law, you ought to stop reading this and get that done) you might take your eyes off of the EU “triologue” going on right now.  That would be a mistake!

In case you’ve lost the plot, or never really paid attention, let’s quickly review: The EU data protection directive is some 20 years old now and it’s in need of a make-over.  A vast amount of new technology has emerged in those years and with that in mind, along with other experiences (think US Safe Harbor “disappointments”), the EU has been hard at work for quite a few years to update, harmonize and strengthen its laws.  And they are almost done.  In fact, the so-called “triologue” is the final step in the process (the term simply refers to the three bodies that are required to agree upon legislation that is to be given the force of law in the EU).  The expectation now is that the new data protection regulation will be agreed upon and enacted by the end of this year or maybe early into next.  Notice the use of the term “regulation”.  That means it will have the force of law across the EU without further adoption of local laws. So, when its law, its law!  Unlike the prior directive, there won’t be a long secondary process and wait while local jurisdictions work it over and create mini-laws.

The current expectation is that there will at least be some waiting period after adoption before the regulation becomes effective… perhaps as much as one year (so January 2017 in all likelihood).

What does it mean?  Well, there are going to be very substantial changes for everyone who touches personally identifiable data and does business or has employees in the EU which includes the majority of larger organizations and essentially all survey professionals unless their practice is quite local to the US.   In our prior Privacy Posts, we’ve highlighted a few of the major probable changes coming down the road.

It’s still impossible to know for sure where the regulators will come out on a host of pending issues.  Nonetheless, we feel confident in predicting that one of the driving philosophical perspectives of the new law will be “privacy by design”.  This is the notion that organizations must affirmatively act to implement privacy policies so that the protection of data becomes part of the process of the organization and not simply an agreeable pronouncement that not many people take seriously. Think of it this way- almost all businesses have protections in place through detailed and rigorously enforced policies to protect against a variety of financial risks and most companies are very serious about it.  Now do the same for personally identifiable information!

Some organizations have already begun this process in anticipation of the new regulation.

Please comment below to add your thoughts or simply discuss this privacy post, or feel free to contact me directly at

Leave A Comment