Revulytics Blog

EU Data Protection Law: How to Store the Data of EU Citizens

September 29, 2015

Subscribe

The EU Data Protection Directive is the substantive law in the EU dictating how the data of EU citizens should be stored. If you are collecting the personal data of EU citizens, and you are based in the EU, you need to ensure that you comply with its requirements.

Things are about to be shaken up, however, as a new regulation is expected to come into force later this year: the EU Data Protection Regulation.

The EU Data Protection regulation is stricter and broader, and will cover anyone dealing with the data of EU citizens, not just businesses or companies based in the EU.

Let’s take a look at what the law is now, what the likely changes will be, and what this means for you if you are storing the data of EU citizens.

What is the EU Data Protection Directive?

EU law is currently covered by the EU Data Protection Directive. The Directive sets out seven principles that data processors in the EU are required to abide by when collecting “personal data”:

  • Notice: individuals should be given notice when their data is being collected
  • Purpose: data collected should be only used for the stated purposes
  • Consent: personal data should not be shared with third parties without consent
  • Security: personal data should be kept safe and secure
  • Disclosure: individuals whose personal data is being collected should be informed as to who is collecting their data
  • Access: individuals should be given access to their personal data and allowed to correct it
  • Accountability: individuals should be able to hold data collectors accountable for adhering to these principles

First, let’s take a look at who the Directive applies to.

Who does the Directive Apply To?

The Data Protection Directive is implemented throughout the EU by each individual EU country. They do this by putting in place local law that covers the Directive’s requirements. The Directive is intended to apply to “data controllers” established in the EU. This includes companies incorporated in the EU, sole traders operating there, businesses that have branch offices or agencies there, or overseas companies that process the data within the EU.

One of the main rules of the Data Protection Directive requires that the personal data of EU citizens can only be transferred to countries outside the EU and the EEA when the country that the data is being transferred to has a comparable and adequate level of protection for that data.

However, a new EU Data Protection Regulation was proposed by the European Commission in 2012, which will broaden the scope of EU law and will remove all doubt on this point: the new Regulation will apply to anyone processing the data of EU citizens, regardless of whether the “data controller” is established in the EU.

What is the EU Data Protection Regulation and What Will It Change?

There are suggestions that the Regulation may come into place at the end of this year. It is intended to cover the whole EU region with one set of laws, to alleviate the problems caused by having slightly different implementations of the Directive in each individual EU country. Businesses will be able to operate more easily within the region without having to understand and comply with numerous different laws in multiple local jurisdictions.

The Regulation will also bring massive internal changes for businesses, and will require businesses operating in the region to have a Data Protection Officer. The Data Protection Officer’s role is to ensure that data collected and stored with that business is managed in line with the Regulation. The Regulation will also apply to all companies and organisations that deal with the data of EU citizens (which means that it will apply to a much broader area than just the EU); and increased fines and sanctions will be in force for those who don’t comply.

Overall, the Regulation is stricter and broader than the current Directive. You already need to be careful when you are storing the data of EU citizens outside the EU, but now will need to be careful when dealing with any data of EU citizens wherever you are based.

Now that we’ve gone through what the Data Protection Directive is, and who it applies to, as well as some of the proposed changes in the Data Protection Regulation, let’s take a look at what types of data you may be capturing and storing.

What is Personal Data?

Personal data for the purposes of the Directive includes “any information relating to an identified or identifiable natural person”. This is a very broad definition, and will include data such as the following:

  • User’s location
  • Contacts
  • Unique device identifiers (such as mobile numbers)
  • Identity of the data subject
  • Identity of the phone (name of the device)
  • Credit card and banking data
  • Call logs
  • Text messages, emails, or other forms of messaging
  • Browsing history
  • Pictures and videos
  • Biometrics data

Here’s the full text of the definition from the Directive:

Article 2

How does this directive affect call-home systems such as Revulytics Usage Intelligence?

When you use Revulytics Software Analytics, all of the collected metrics are anonymous, and end-users are identified only through the use of a unique installation ID generated automatically by the Revulytics Usage Intelligence SDK. This means by default Usage Intelligence does not store any personal information, howeverUsage Intelligence does collect an IP address to check with a GEO-IP database; even though the IP address is not stored, it is processed for the purposes of the Directive. Here’s the definition of data processing, which includes collection, organisation, and use:

Collection Organisation Use

Note that IP addresses have been held in Swiss law to be “personal data”. While Switzerland is not part of the EU, it’s important to consider that this ruling could be followed elsewhere.

Collecting Custom data

Some advanced call-home frameworks such as Revulytics Usage Intelligence also provide the software developer or vendor with specific API calls to collect any custom data of their choice. This would typically be data related to events occurring within the product, but it could be used to gather information that is “personal data” for the purposes of the Directive.  In this case Usage Intelligence gives the software developer/vendor full control over what custom data is collected.

Before we look at how you should store this data, we will quickly cover some of the things you need to be aware of when collecting and processing this information.

Collecting Personal Data

It’s vital to note that Revulytics states in their Terms of use that the developer or vendor should not collect any illegitimate info, and must inform their customers accordingly about all custom information that they are collecting that could be “personal information”. Revulytics also requires that the developer or vendor must have a Privacy Policy in place.

Trackerbird privacy policy

Given that the jurisprudence on issues such as the IP address is still up in the air, it’s best to be open and transparent with your users, and disclose to them that you (via Usage Intelligence or some other framework) process their IP address for geolocation purposes.

Remember that if you are collecting anything that is clearly personal information, as long as you get permission to collect it, inform your end-users that you are collecting it, disclose what you are using it for, and comply with the Directive’s principles above when doing so, you will remain in line with the law. Your Privacy Policy is the way in which you inform your end-user about these things.

How to inform your users

Use your Privacy Policy to disclose what information you are collecting and how you are using it. It also helps to explain why you are running a CEIP (Customer Experience Improvement Program) and how users can benefit from this program.

It’s important to tell your end-users how they can benefit from this data collection by way of an improved product, to ensure that your users are more comfortable in sharing their data.

If you are only collecting anonymous information, then it’s good to note this since it will help your end-user perception. It is advisable to offer end-users a way how to opt-in or opt-out of data collection. What method you use for opt-in or opt-out totally depends on the relationship you want to have with your users and the type of license used by your software. For example it is common that free license users are automatically enrolled in the CEIP, whilst premium users are offered the choice to opt-out.

Now let’s look at some of the considerations you should have in mind when storing this data.

What Does This Mean for Storing the Data of EU Citizens?

The data of EU citizens should only be stored within the EU, or a country with comparable and adequate level of protection for that data. The EU has currently deemed the following countries as meeting this standard:

Countiries have an adequate level of protection

Image: UK Information Commissioner’s Office

How to Choose a Storage Provider?

When building a call-home system or choosing a third party provider, you should ideally choose a reputable provider in a country either within the EU, or one of the countries that meets the EU Data Protection Directive’s requirements.

Trackerbird (now part of Revulytics) was a company based in EU but with primary datacentres in the USA and Netherlands. By default all data is stored in the US and backed up in Amsterdam. However Revulytics customers are also offered the option to host their entire call-home data in Amsterdam only.

As we noted above, the personal data of EU citizens can only be transferred to countries outside the EU when the country that the data is being transferred to has a comparable and adequate level of protection for that data. The US data protection laws are patchy at best, and it is clear that they aren’t deemed to have an adequate level of protection for data as per the list above - however, there are some exceptions to the above rule. There is a Safe Harbor provision in place that deems the US privacy protections to be as good as the EU (even though they aren't). This means storing data in a US datacentre is still suitable for when you collect the data of EU citizens.

No matter which provider you choose, ensure that they have an excellent security record, and take the time to read customer reviews to get a feel for how the provider manages customer service. Also make sure that you check through your SLA with your storage provider carefully.

Conclusion

Storing the data of EU citizens is not tricky, as long as you choose a reputable provider in either an EU country, an approved country, or a country with a Safe Harbor provision in place such as the US. Be aware of what types of data could be “personal information”, and ensure that you comply with EU law whenever you are collecting, processing, or storing it. 

Leah Hamilton

Post written by Leah Hamilton

This is a guest post by Leah Hamilton,. Leah is a qualified Solicitor and writer working at TermsFeed, where businesses can create legal agreements in minutes using the Generator. You can follow TermsFeed on Twitter @TermsFeed, or on Medium.