Now that the value of Big Data is more clear, it is necessary to look at how all this data is protected through Europe. First the European Union will be looked at, followed by some of the EU countries including the Netherlands, to compare if all European citizens are protected the same.
To get a better understand about what a EU law means to consumers and businesses in Europe, the different types of laws need to be distinguished. There are five types of laws namely, a regulation, directive, decision and recommendations & opinions. Each of these types of law have a different consequence for a EU country (Davies, 2013).
A regulation is a general application, which means it applies to all EU countries, and the regulations is binding in its entirety. A regulation is directly applicable into national laws, which means that national legislators do not need to incorporate the regulation. Since a regulation is directly applicable it means that there is a uniformity of law throughout the EU (Davies, 2013).
A directive is a sort of law which is only binding to those who the directive is addressed to. It is an obligation for member states to try to find a particular outcome which comes close to what the directive says. A directive will be implemented into national legislation of the member states that need to do so and the European Union draft directives to ensure a form of harmonization of rules in the EU (Davies, 2013).
Decisions are directly applicable into national legislation but not for the entire European Union. A decision looks a lot like a regulations however, a decision is only binding to the member state the decision is addressed to (Davies, 2013).
Recommendations and opinions
The big difference between regulations, directives and decisions when looking at recommendations and opinions is that the last two sort of laws are not legally binding. They are called soft law and even though they are not legally binding, they are influential and national court should take these into account (Davies, 2013).
The European Union has finalized the directive 95/46/EC the protection of personal data in December 1995. The directive is made to protect the rights and freedom with respect of processing personal data. Three major parts in this directive are important, starting with data processing is only legal when:
1. The person who’s data is being used has given its consent to do so.
2. Data processing is necessary because of the performance of a contract to which the data is subject.
3. Data processing is necessary for submission off a legal obligation.
4. Data processing is necessary for the performance of a tasks which is performed with the public interest in mind.
5. Data processing is necessary for legitimate interest by or a third party or a controller, except when the interest overrides the fundamental rights and freedom of the data which should be protected.
Besides these five rules there are two data quality principals, data must always be processed fairly and according to the law and the purpose must be specified beforehand. And it is forbidden to process data which reveals racial or ethnic origins, political opinions and religious believes. The directive as well states that a person who’s data is processed can exercise the following rights:
1. A person always has the right to obtain the information, this means the controllers should be open about what is done with the data.
2. The person has the right to access the data at all times.
3. The right to object to the processing of the data.
As learned until now is that the European Union has set a directive for Member states to implement into their law, this means that the information above is a guideline and member states have the right to implement these point to their own meaning. The entire directive can be found in annex one. Now that the European Union’s point of view of internet privacy is set out, it is necessary to look at specific countries to see how internet privacy differs or is the same for all citizens in the European Union.
Second is that the Dutch government believes that is must be possible for a person to be forgotten on the internet. An organization or business must deleted all personal data of the specific person when asked. Plus there should be an option for a consumer to gain a copy of all existing data about him or herself. This rule comes out of the directive of the European Union. Last important point in the protection of personal data in the Netherlands is that a person visiting any website should get a clear and brief explanation about the use of personal data. It is not sufficient anymore for a website owner to only provide a large and unclear explanation. The CBP, a supervisory board that looks after protecting personal data is authorized by the Dutch government to fine any business or organization how breaks these rules. The government wants to empower them even more in the future, unfortunately it is not clear yet how (Rijksoverheid, n.d.). Conclusion after analyzing both the European directive and the Dutch act is that there is little to no differences. Due to the fact that privacy is a wide conception, the focus will be on the cookie acts, since with accepting a cookie a person gives permission to have their data being used.
The Netherlands transferred the EU law into the national legislation. Germany however thought their current cookie law was protective enough and did not needed to be adjusted. Currently in Germany the Tele media Act specifies that users must be informed when organizations or businesses use methods that could identify personal data. It is therefore considered that website owners should inform users on how cookies are being used in their privacy policies. The law as well says that users should be able to refuse the use of their data for the purpose of marketing. The question in Germany rise as to whether this would apply to the collection of an IP address and the German data protection authorities released an announcement in 2009 clarifying that an IP address would not count as an alias and that where the full IP address is collected, the website owner must have asked for approval, which is same as in the Netherlands (German Cookie Law, 2015). When analyzing the current information it seems that the German law is not that different as the Dutch act or what is mentioned in the EU directive. It could be said though that the EU directive is stricter than the German law due to the fact that the EU directive requires permission when data is stored, this does not need to be personal data only. However in the Facebook case the German law stand out as very strict (German Cookie Law, 2015).
Facebook announced in 2014 that as of January first 2015 the privacy setting would change. They will have access to the information of a person using a particular app or another website. This information they use to advertise better on the user’s profile on Facebook (Eg, 2014). Since the headquarter of Facebook is established in Ireland, the European privacy law is binding for all EU countries. However the highest judge in Germany decided that due to the fact that all the Facebook information goes to a server in the USA, the privacy law of the USA should be binding. However because of the fact the USA is not part of the EU, Germany can decide for itself how to protect its citizens (Kruidhof, 2014). What is comes down to is that due to this decision the Germany users of Facebook can protect themselves through the privacy settings of the fact that their name and profile picture cannot be placed on another timeline as a form of advertising. Furthermore are German Facebook users given the power to not give up their right on their own pictures and video’s (Eg, 2014). The reason why Dutch citizens are not protected the same as the German is caused by the Dutch government who uses the EU law when it comes to Facebook. The Dutch government however is working on a new bill which should give the organization that protects Dutch data more power, for example fining Facebook for misuse. Unfortunately until now this is not the case and they are only allowed to warn companies, which according to Jacob Kohnstamm, director of the CBP, the advisory board of the protection of data is convinced that big companies such as Facebook will not be scared by a fine (Kruidhof, 2014).
United Kingdom and Ireland
As seen until now is that all EU countries must find a way to implement the EU directive into national legislation. Ireland did this at the simplest way possible to ensure some of the biggest online companies to keep their headquarter in Ireland. Where the EU directive says that there must be an option (pop-up in most cases) to give consent of the use of a person’s data, the Irish cookie law says that this permission does not have to be explicit but could be initiated. This means that citizens in Ireland could give consent through their website browser in the privacy settings. This setting is than leading for all website and keeps companies from writing pages about the use of data on their website (Irish Cookie Law, 2015).