End-of-2013 Privacy News: Confusion in Europe, California Forges Ahead



Practice Areas

Robinson Bradshaw Publication
Feb. 11, 2014

As 2013 ended, the big news in privacy law was being made in the European Union and the California state legislature—as it has for the last twenty years. But whereas Europe is enveloped in confusion and uncertainty, California continues to forge ahead with new protections and requirements for businesses.

2012 saw the announcement of a proposed EU Data Privacy Regulation. It would continue current trends in EU privacy law, but with some significant new burdens. The new regulation would expand coverage to foreign companies “offering goods or services” to people in EU or “monitoring their behavior,” provide for private lawsuits and large fines against violators, make it harder for companies collecting data to obtain consent, and, most controversially, give EU residents a “right to be forgotten, and to erasure,” meaning the companies will have to somehow eliminate information that data subjects decide to take out of circulation.

The original predictions were that the proposed regulation would take two years or more to get through the European Parliament. Then, at the end of 2013, the EU Commission (the EU’s executive branch) announced a push to get the legislation through in early 2014. The latest news, however, coming out of a recent EU summit, is that the approval process will likely drag on into 2015. Businesses continue to lobby against the most onerous provisions, so 2013 ended with both the timing and the ultimate form of the law still up in the air. We continue to advise U.S. companies that do business in the EU that something essentially resembling the current draft is likely to be finalized in the next two years, and to start to prepare for that eventuality.

And in related EU news, the Safe Harbor appears to be in trouble. This provision, administered by the U.S. Department of Commerce, allows U.S. companies to receive transfers of personal data relating to EU residents by certifying that they are providing EU-level privacy protection. In the wake of the NSA revelations, a number of EU officials have suggested that the program has no teeth, or is merely a loophole that allows U.S. companies to evade scrutiny simply by saying that they are in compliance. A report from the EU Commission is expected soon, and many observers expect the EU to repudiate the Safe Harbor. Few American companies rely on it, but those that do should start planning for an alternative—such as the EU’s approved contractual protections—or risk losing the right to transfer data.

Meanwhile, California continues to be the leader in enacting privacy laws in this country. Several of the laws enacted in 2013 may affect businesses doing online business with California residents, including these:

Other, more sector-specific new laws strengthen protections for health care records and prohibit the sale of utility (water, power, etc.) usage data. A variety of privacy bills are still pending. The most significant of these would give consumers a right to receive a copy of any personal information that a business has retained within 30 days of requesting it.

Main Menu