On January 25, 2012, the European Union proposed a comprehensive reform of its data protection laws, which have not been revised since 1995. Intended to “strengthen online privacy rights and boost Europe’s digital economy,” the proposal would overhaul the EU’s 1995 data protection rules.

Most notably, the proposed revisions: (1) establish a single set of rules on data protection for all member states; (2) apply the EU’s data rules to personal data handled abroad by companies that offer their services to EU citizens; and (3) penalize violations of the EU data protection rules by imposing fines of up to 2 percent of a company’s annual global revenue. While the EU proposal would also impose affirmative data security and data breach notification obligations on companies, it would simultaneously remove burdensome and unnecessary administrative requirements as a means of cutting business costs. The proposal, however, must still be approved by the full EU Parliament, as well as the European Council of member states, and it could see substantial changes before then. If ultimately finalized and approved, the proposal would not take effect until two years after passage.

The proposed changes are no surprise, as data protection and privacy has been a topic of interest in Europe since the EU Data Privacy Directive (the “Directive”) was implemented in 1995. Council Directive 95/46, 1995 O.J. (L281) (EC). In recent months, several notable investigations and cases have been evaluated in Europe. One of the more noteworthy cases was ruled on by the European Court of Justice (ECJ) on November 24, 2011. In that case, the ECJ held that Internet Protocol (IP) addresses are “protected personal data” within the meaning of the Directive, which prohibits the processing of personal data within the EU unless certain conditions are met. Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL, Case C-70/10 (ECJ Nov. 24, 2011). The ECJ, therefore, rejected an injunction issued by a Belgian court that required an Internet service provider (ISP) to collect and identify users’ IP addresses as part of an anti-piracy program designed to monitor and filter its customers’ online activity. This case is significant because prior to the ECJ’s landmark decision, national regulators throughout Europe had taken differing positions on whether IP addresses are personal data and thereby protected under EU law.

The ECJ, which is the highest court in the EU, is tasked with interpreting EU law and ensuring its equal application across all EU member states. Although it has no jurisdiction over matters of national law, national courts may refer questions of EU law to the ECJ. Once the ECJ issues a ruling, the referring court must then apply the ECJ’s interpretation to the facts of a given case. Given this, it is important to track the ECJ’s decision as it will provide binding precedent that must be followed all EU institutions, member states, and national courts.

In the Scarlet decision, the ECJ reasoned that users’ IP addresses do, in fact, constitute protectable “personal data” because they “allow those users to be precisely identified.” Moreover, it noted, the filtering system imposed by the Belgium court’s injunction had no expiration date, was directed exclusively at future infringements, and was “intended to protect not only existing works, but also future works” that would not yet exist at the time of the system’s introduction. This decision further distinguishes the EU’s data policies from those in the United States, where IP addresses are typically considered non-personal information.

These developments illustrate the importance of monitoring compliance not only with local data security regulations, but also with those that govern any foreign markets in which a company is an active participant. Firms doing business in the EU, or any other foreign country for that matter, are therefore advised to have appropriate legal counsel review their privacy policies as well as any customer information collection practices that they employ.

Arent Fox will continue to monitor the status of data security laws, both domestically and internationally.