European Union Privacy Laws: Individual Privacy Law Within the EU

While the European Union allows for a great deal of privacy regulation to be controlled by legislation within its member countries, there are a number of issues that it addresses across borders. Generally stricter than US privacy laws, the EU, which arguably is geared more towards commerce regulation, has put forth a great deal of effort in protecting its citizens' individual privacy, especially in working with the US Department of Homeland Security.


Current European Union individual privacy laws state the following:

An individual must be provided with:

  • a clear means to access and correct the data
  • the purpose of its processing
  • the source of the data
  • who has received the data
  • who is processing their data.

All data must be:

  • accurate and up to date
  • available to the individual so as to be corrected or erased in reasonable measures by the agency
  • collected, processed and protected in a lawful manner
  • collected for practices disclosed and used accordingly so that nonpublic personal information cannot be disclosed without written consent
  • free of information revealing racial or ethnical origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life
  • kept no longer than necessary
  • protected by supervisory authority provided by a member state
  • relevant to disclosed practices and not exceed those purpose.

Explicit opt-in is required (with clear opportunities to opt-out at a later date) for the sharing and collection of all information and cannot be assumed. Exceptions are:

  • when proper legal actions by government officials of member states as dictated by internal law have been taken.
  • when the exchange of data is necessary to protect a subject's life.

Clear, explicit privacy policies must be provided. Personal Nonpublic Data transferred to the U.S. Department of Homeland Security by airlines is restricted to 34 points and may only be used to combat the threat of terrorism or to serve warrants in the case of flight, providing protection to individual privacy.

While there is a degree of flexibility within the regulations, similar to those of the United States, the biggest difference is the requirement of an unambiguous opt-in.

In the European Union, the burden of accountability is on the business. They must obtain consumer and customer permission rather than assume complacency providing later opportunities requiring the customer to act in order to opt-out.