European data privacy and regulatory compliance feature

Regulatory Compliance and Data Privacy: The United Kingdom, France, and Germany

Cloud, Compliance

Written by Michael Higashi

European data privacy and regulatory compliance

In the last two installments of our Regulatory Compliance In-Depth series, we discussed the compliance landscape in North America and in East Asia, two vastly different environments with sometimes convoluted and conflicting data privacy laws. Now we turn our attention to Europe. Data privacy in the European Union is governed by the Data Protection Directive of 1995 and the Internet Privacy Law of 2002. These laws create standards among EU member states, but individual member states also have their own data security requirements and restrictions. The United Kingdom, France, and Germany are three of the most critical nations to watch.

Learn more about privacy and compliance requirements around the world? Download our free ebook, “Global Guide to Data Protection Laws,” today.

The United Kingdom Cloud Compliance & Data Privacy

UK data privacy and regulatory complianceRestrictions on data collection and transfer in the United Kingdom are considered strong. The UK adheres to a broad definition of sensitive personal data: among the information that renders data “sensitive” are racial and ethnic origin, political opinions, religious or other similar beliefs, trade union membership, physical and mental health and medical data, sexual history, criminal history, and legal history. In addition, personal data cannot be transferred to any region outside the European Economic Area unless the destination country or territory has been demonstrated to adequately protect the rights and freedoms of data subjects. This is particularly relevant for organizations considering adoption of cloud services provided by major global cloud service providers (CSPs), whose data center locations may cause data residency issues. In the UK, compliance to data privacy regulations is enforced by the Information Commissioner’s Office (ICO), which has the authority to levy fines of up to half a million pounds.

France Cloud Compliance & Data Privacy

France data privacy and regulatory complianceLike the United Kingdom, France places strong restrictions on organizations’ handling of sensitive personal data. In addition to the implementation of the EU Data Protection Directive, France also has the French Data Protection Act, enforced by the Commission Nationale de l’Informatique et des Libertes (CNIL), which can levy fines of hundreds of thousands of euros for data protection offenses. The CNIL issues specific recommendations to ensure data security. Among those recommendations are strong password management (the poor password practices of the typical man on the street won’t fly) and the adoption of a clear information systems security policy. Additionally, transfer to countries that are not deemed to offer adequate data protection is restricted only to necessary transfers whose need meets several legal requirements.

Germany Cloud Compliance & Data Privacy

Germany data privacy and regulatory complianceAmong EU member states, Germany imposes some of the strongest restrictions on the collection, use, and transfer of personal data. Germany’s federal data protection act, the Bundesdatenschutzgesetz (BDSG), was significantly reformed in 2009 to bring it up to date with modern data protection issues, and each of Germany’s 16 individual states are also required to have their own data protection laws and privacy policies, as well as a state Data Protection Authority that enforces data protection laws. The BDSG must explicitly approve the transfer of data to countries outside the European Economic Area (EEA), and data transmission into the United States must also receive explicit permission from the European Commission. Additionally, the BDSG recently implemented a breach notification duty mandating that data controllers must inform supervisory authorities and affected individuals if their sensitive personal data is abused, lost, or accessed by a third party.

For enterprises doing business in these European nations, cloud adoption initiatives must be taken cautiously, with checks at multiple steps to ensure complete compliance with both national and EU data privacy regulations. Nevertheless, many European businesses have adopted the cloud and flourished.

Next Steps

Check out our cool, interactive Global Compliance Resource Center to learn more:

Screen Shot 2015-08-19 at 2.36.42 PM