Companies doing business in the EU have to comply with EU and national personal data privacy legislation. Unfortunately the data privacy legislation in the EU is not yet fully harmonized. This means that in practice, although companies can expect commonalities between legislations of the EU Member States as a result of the EU Data Privacy Directive, companies still have to verify what obligations and restrictions the various national data privacy legislations and regulators of the countries they are active in impose on them.
The EU is working on a Data Privacy Regulation which should further harmonize the various rights and obligations, but there is no set deadline for the adoption of the Regulation – which is the subject of intense lobbying efforts.
The French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or CNIL ) is an example of an active data privacy regulator which has and uses its investigative powers. The CNIL has just announced (here) its inspection programme for 2013. The programme sets out the inspection priorities for the year and contains some interesting data on its activities. Notably, in 2012 the CNIL carried out 458 inspections, an increase of 19% compared to 2011. For 2013, it aims to carry out approximately 400 inspections and will focus its inspection activities in 5 priority fields.
Although not all EU Member State data privacy regulators are as active as the French CNIL, management concerned with their company’s brand image and general compliance should also keep in mind the necessity of regular reviews of their current and envisaged data processing activities.