European Union Commission Questions U.S. Privacy Laws and Calls for Application of EU Data Privacy Standards Worldwide

The widely-reported revelation that the United States National Security Agency has engaged in extensive and systematic domestic and foreign surveillance has brought renewed attention to the data privacy laws and standards in effect in the United States. In response to this scandal, on November 27, 2013 the Commission of the European Union released a strategy memo that is intended to set standards for rebuilding trust between the United States and the EU. Among other things, it suggests that the EU and U.S. should promote data privacy standards internationally. This article describes the initiatives proposed in the EU memo that may affect companies doing business in the EU and then considers whether the European view of privacy would be acceptable to the other major commercial users of internet, the United States and China.

The strategy memo claims that EU Member States and citizens do not believe that the current regulatory framework for the transfer of commercial data between the EU and the U.S. sufficiently protects personal data. It then sets forth multiple initiatives aimed at addressing EU concerns that U.S. authorities and U.S. businesses have been improperly accessing and exchanging the personal data of EU residents. Three of these initiatives are aimed at increasing the oversight of the transfer of personal data by businesses.

The memo first argues that the Safe Harbor program that allows for the transfer of data in commerce between the EU and the U.S. does not sufficiently protect personal data and recommends that the requirements of the program be reconsidered immediately. The Safe Harbor program is a response to a 1995 EU Directive that prohibits the transfer of the personal data of EU residents to countries that do not provide privacy safeguards equal to those required by the EU. Of course, the EU has the most rigorous data protection requirements in the world, and few countries, including the U.S., can meet this test. In order to allow for the flow of personal data from the EU to the U.S. despite the Directive, the EU established the Safe Harbor program, which is administered in the United States by the Federal Trade Commission. Under the Safe Harbor, if a U.S. company demonstrates that it meets EU-level data protection standards, it is then considered to be compliant with the Safe Harbor and permitted to collect and transfer personal data gathered on EU residents. Although the Safe Harbor standards are onerous and unpopular with U.S. companies, most companies that have significant operations in Europe have found a way to comply with them. The strategy memo questions the transparency and enforcement of the Safe Harbor principles, noting that some companies that claim to be compliant with the certification requirements are not in fact compliant. It calls for the urgent engagement of U.S. authorities to discuss the shortcomings of the Safe Harbor, and in particular for increased monitoring and supervision by the FTC, as well as the establishment of a dispute resolution mechanism for EU citizens who believe their personal data has been inadequately protected. It further points out that the EU Commission has the authority to suspend or revoke the Safe Harbor if the scheme no longer provides adequate protection.

As a second initiative, the Commission requests that the European Parliament and Council approve the comprehensive data protection reform proposed by the Commission in January of 2012 (the EU Data Privacy Protection Regulation) during the spring of 2014. This proposed reform makes extensive changes to the current EU data protection regime and significantly expands the scope of regulation (as more fully described in an earlier article “The Impact of the Proposed EU Data Privacy Regulation on U.S. Companies”). Currently, U.S. companies without an EU establishment are not subject to regulation when they collect the personal data of individuals who reside in the EU unless the U.S. company collects or processes the data using equipment located in the EU. The proposed reform expands coverage to all companies that collect data from EU residents, even if they do not have any established operations in the EU. Needless to say, this would result in a significant expansion in the number of U.S. companies that would be required to comply with the EU standards. Commentators had speculated that the approval process by the European Parliament and Council could take as long as four years, but the strategy memo argues that prompt passage of the Regulation would send a strong and necessary message about the protection of personal data. The call to implement this reform by spring 2014 sets an accelerated timeline for U.S. companies that may be newly subject to EU law to come into compliance with the EU standards.

As a third initiative, the Commission suggests that EU rules of collection, processing and transfer of data be promoted internationally. It also calls on the U.S. to enact legislation strengthening U.S. domestic data privacy laws, in particular by passing legislation based on the “Consumer Privacy Bill of Rights” proposed by President Obama in February 2012. The strategy memo suggests that enactment of such legislation, combined with the EU law, could form a basis for other cross-border data transfer laws. However, the willingness of the U.S. and other countries to follow the EU blueprint for data privacy protection is unclear.

Although they are not acknowledged in the memo, there are significant ideological differences between the EU and the United States and much of the rest of the international community on the importance of privacy rights. The EU treats privacy as a fundamental human right and has adopted strong uniform legislation to protect data privacy. By contrast, the U.S. Constitution does not expressly include a right to privacy, and the prevailing view in the U.S. has long been that privacy must be balanced with the competing interests of commerce and free speech. Consequently, current federal law does not address data privacy in a comprehensive way. Instead, federal law deals only with certain sensitive sectors (principally health, finance, and children) and the general protection of privacy has been left largely to the states.

The ability of the EU to export its data privacy protection regime to other countries will largely depend on two factors: (1) the extent to which those other countries share the European ideological view of privacy and (2) the extent to which the EU can obtain a critical mass of adherents so that other countries that do not share that view, such as the U.S., are practically forced into compliance. One of the key countries in this equation is, of course, China. With China’s population of over 1.3 billion (an estimated 40% of them using the internet) and total online sales in 2013 estimated to be in excess of $200 billion, the willingness of Chinese authorities to accept the EU approach will be critical to the EU’s success in exporting its privacy standards.

Over the past year, Chinese authorities have begun the process of strengthening the protection of personal information through the issuance of two important directives, although the impact of these directives and the details of their enactment are still unclear. First, in December 2012, the Standing Committee of China’s National People’s Congress, which is China’s legislative body, issued a Decision to regulate the collection of personal information by network service providers and other entities in China. The Decision contemplates the protection of “personal electronic information,” which is described as information that individually identifies citizens or that involves a citizen’s privacy, but no further guidance is given on what may constitute a citizen’s privacy. The law includes prohibitions on the sale or illegal disclosure of personal electronic information as well as guidelines for notice and disclosure by those who collect personal electronic information.

Then, on February 1, 2013, China’s first national standard for the protection of personal information became effective with the issuance of the Information Security Technology Guidelines for Personal Information Protection. In contrast to the 2012 Decision, which focuses on the obligations of the collectors of personal information, the 2013 Guidelines include implied rights held by the subjects of that personal information. For instance, the Guidelines set forth what the collectors of personal information are required to do when a subject requests to inspect or modify the personal information held by the data collector. It is important to note that the Guidelines do not affirmatively give the data subject the right to inspect. But they do require the data collector to do certain things if the data subject makes such a request, which implies that the data subject has such a right. This contrasts with the EU regime in which data subjects have clearly stated affirmative rights, such as the right of erasure that allows a data subject to require a data controller to erase the personal data relating to them. Moreover, China’s Guidelines are not mandatory and do not include penalties for non-compliance, although it is anticipated that they could serve as a source for the drafting of more comprehensive laws. Although the issuance of the Guidelines indicates that the Chinese government may be amenable to developing a comprehensive national law on personal data protection, the facts that they include only implied rather than affirmative rights and that are not mandatory suggests that Chinese authorities may not view data privacy as a fundamental right, as does the EU.

Ultimately, it is unclear whether the EU view of privacy as a fundamental right will be accepted on an international basis. However, the revelation that the EU Commission intends to (1) reassess the efficacy of the Safe Harbor program and (2) accelerate the timeline for passage of the new data privacy reform regulation are causes for concern for U.S. businesses that collect data from EU residents. As more fully described above and in our previous post, the proposed regulation significantly expands the number of U.S. businesses that would be required to comply with EU standards and includes stiff penalties for those who don’t (including possible monetary penalties of up to 1 million euros or 2% of worldwide turnover). With the prospect of increased coverage and severe penalties, U.S. companies would be well-advised to develop a strategy to address the reform now.

There are several steps that U.S. companies should take in response to the strategy memo. First, to the extent that it relies on the Safe Harbor program to collect data from EU residents, it should confirm its compliance with those requirements, as the FTC is likely to respond to the strategy memo by upping its scrutiny of those companies that rely on the Safe Harbor. Second, all companies that collect data from EU residents should review and/or develop an internal data collection policy that accurately reflects how they are collecting, using and storing personal information. Third, this policy should be narrowly and specifically tailored to the business needs of the company and conform to applicable U.S. regulations. By taking stock of its internal processes now, companies can better assess their compliance needs should the new reform be passed, and can reduce the burden of implementing any required changes.

The EU Observer reported on December 6, 2013 that the proposed EU data privacy reform regulation hit a setback when a number of countries questioned a key provision and that adoption would likely be postponed until the end of 2014 after the European Parliament elections (see http://euobserver.com/justice/122384). This delay may serve as a reprieve for those U.S. companies that have yet to review or implement a data collection policy.