The EU Data Protection Directive is the substantive law in the EU dictating how the data of EU citizens should be stored. If you are collecting the personal data of EU citizens, and you are based in the EU, you need to ensure that you comply with its requirements.
Things are about to be shaken up, however, as a new regulation is expected to come into force later this year: the EU Data Protection Regulation.
The EU Data Protection regulation is stricter and broader, and will cover anyone dealing with the data of EU citizens, not just businesses or companies based in the EU.
Let’s take a look at what the law is now, what the likely changes will be, and what this means for you if you are storing the data of EU citizens.
EU law is currently covered by the EU Data Protection Directive. The Directive sets out seven principles that data processors in the EU are required to abide by when collecting “personal data”:
First, let’s take a look at who the Directive applies to.
The Data Protection Directive is implemented throughout the EU by each individual EU country. They do this by putting in place local law that covers the Directive’s requirements. The Directive is intended to apply to “data controllers” established in the EU. This includes companies incorporated in the EU, sole traders operating there, businesses that have branch offices or agencies there, or overseas companies that process the data within the EU.
One of the main rules of the Data Protection Directive requires that the personal data of EU citizens can only be transferred to countries outside the EU and the EEA when the country that the data is being transferred to has a comparable and adequate level of protection for that data.
However, a new EU Data Protection Regulation was proposed by the European Commission in 2012, which will broaden the scope of EU law and will remove all doubt on this point: the new Regulation will apply to anyone processing the data of EU citizens, regardless of whether the “data controller” is established in the EU.
There are suggestions that the Regulation may come into place at the end of this year. It is intended to cover the whole EU region with one set of laws, to alleviate the problems caused by having slightly different implementations of the Directive in each individual EU country. Businesses will be able to operate more easily within the region without having to understand and comply with numerous different laws in multiple local jurisdictions.
The Regulation will also bring massive internal changes for businesses, and will require businesses operating in the region to have a Data Protection Officer. The Data Protection Officer’s role is to ensure that data collected and stored with that business is managed in line with the Regulation. The Regulation will also apply to all companies and organisations that deal with the data of EU citizens (which means that it will apply to a much broader area than just the EU); and increased fines and sanctions will be in force for those who don’t comply.
Overall, the Regulation is stricter and broader than the current Directive. You already need to be careful when you are storing the data of EU citizens outside the EU, but now will need to be careful when dealing with any data of EU citizens wherever you are based.
Now that we’ve gone through what the Data Protection Directive is, and who it applies to, as well as some of the proposed changes in the Data Protection Regulation, let’s take a look at what types of data you may be capturing and storing.
Personal data for the purposes of the Directive includes “any information relating to an identified or identifiable natural person”. This is a very broad definition, and will include data such as the following:
Here’s the full text of the definition from the Directive:
When you use Revulytics Software Analytics, all of the collected metrics are anonymous, and end-users are identified only through the use of a unique installation ID generated automatically by the Revulytics Usage Intelligence SDK. This means by default Usage Intelligence does not store any personal information, howeverUsage Intelligence does collect an IP address to check with a GEO-IP database; even though the IP address is not stored, it is processed for the purposes of the Directive. Here’s the definition of data processing, which includes collection, organisation, and use:
Note that IP addresses have been held in Swiss law to be “personal data”. While Switzerland is not part of the EU, it’s important to consider that this ruling could be followed elsewhere.
Some advanced call-home frameworks such as Revulytics Usage Intelligence also provide the software developer or vendor with specific API calls to collect any custom data of their choice. This would typically be data related to events occurring within the product, but it could be used to gather information that is “personal data” for the purposes of the Directive. In this case Usage Intelligence gives the software developer/vendor full control over what custom data is collected.
Before we look at how you should store this data, we will quickly cover some of the things you need to be aware of when collecting and processing this information.
Given that the jurisprudence on issues such as the IP address is still up in the air, it’s best to be open and transparent with your users, and disclose to them that you (via Usage Intelligence or some other framework) process their IP address for geolocation purposes.
It’s important to tell your end-users how they can benefit from this data collection by way of an improved product, to ensure that your users are more comfortable in sharing their data.
If you are only collecting anonymous information, then it’s good to note this since it will help your end-user perception. It is advisable to offer end-users a way how to opt-in or opt-out of data collection. What method you use for opt-in or opt-out totally depends on the relationship you want to have with your users and the type of license used by your software. For example it is common that free license users are automatically enrolled in the CEIP, whilst premium users are offered the choice to opt-out.
Now let’s look at some of the considerations you should have in mind when storing this data.
The data of EU citizens should only be stored within the EU, or a country with comparable and adequate level of protection for that data. The EU has currently deemed the following countries as meeting this standard:
Image: UK Information Commissioner’s Office
When building a call-home system or choosing a third party provider, you should ideally choose a reputable provider in a country either within the EU, or one of the countries that meets the EU Data Protection Directive’s requirements.
Trackerbird (now part of Revulytics) was a company based in EU but with primary datacentres in the USA and Netherlands. By default all data is stored in the US and backed up in Amsterdam. However Revulytics customers are also offered the option to host their entire call-home data in Amsterdam only.
As we noted above, the personal data of EU citizens can only be transferred to countries outside the EU when the country that the data is being transferred to has a comparable and adequate level of protection for that data. The US data protection laws are patchy at best, and it is clear that they aren’t deemed to have an adequate level of protection for data as per the list above - however, there are some exceptions to the above rule. There is a Safe Harbor provision in place that deems the US privacy protections to be as good as the EU (even though they aren't). This means storing data in a US datacentre is still suitable for when you collect the data of EU citizens.
No matter which provider you choose, ensure that they have an excellent security record, and take the time to read customer reviews to get a feel for how the provider manages customer service. Also make sure that you check through your SLA with your storage provider carefully.
Storing the data of EU citizens is not tricky, as long as you choose a reputable provider in either an EU country, an approved country, or a country with a Safe Harbor provision in place such as the US. Be aware of what types of data could be “personal information”, and ensure that you comply with EU law whenever you are collecting, processing, or storing it.
In a previous post on the Revulytics blog we discussed the new EU data protection law coming into force: the EU Data Protection ...
It’s very common for developers to want to use open-source libraries and frameworks: open-source software is freely available, ...
Image source: openDemocracy US and EU Flags When collecting data of users online or through any call-home product, it’s important ...