The Impact of the Proposed EU Data Privacy Regulation on U.S. Companies



Practice Areas

Robinson Bradshaw Publication
March 22, 2012

The United States and the European Union have long had different philosophies on the collection and protection of personal data, which is defined broadly by the EU as any information relevant to an identified or reasonably identifiable natural person. The EU views individuals as having a fundamental right to the protection of their personal data. In the United States, the focus has always been on balancing the desire of individuals to have their personal data protected with the needs of businesses to use that data. The United States has also had a stronger commitment to the free speech rights of those who want to use or comment on lawfully acquired personal data.

The EU adopted a directive (an order for member states to adopt consistent legislation) on the protection of personal data in 1995, and U.S. companies with significant operations in the EU have struggled since then to find ways to accommodate the EU demands. The major problem has been, and continues to be, that the EU forbids the transfer of personal data about EU residents to countries – including the U.S.– that do not provide an EU-level of privacy protection. Even intracompany transfers are affected. The present options for U.S. companies include joining a Department of Commerce Safe Harbor program, under which companies must demonstrate an adequate privacy policy; conducting data transfers under EU-approved Standard Contractual Clauses, which many U.S. companies find too onerous; and adopting EU-approved, legally effective Binding Corporate Rules, which have also been unpopular in this country. While compliance under any of these methods has never been a pleasant exercise, most U.S. companies have found a way to cope.

The European Commission, the EU’s executive branch, has now proposed a new personal data regulation that will make life dramatically more difficult for an even greater number of U.S. companies. The regulation itself is lengthy and complex, with 91 articles preceded by 139 findings that explain the reasoning behind the regulation. While there may be some controversy over some of the proposals, this regulation has been under development for years and most observers expect it ultimately to be adopted without major changes. The remaining procedural hurdle of obtaining final approval by the EU’s Parliament and Council is expected to delay actual implementation for as little as 18 months or as long as four years, depending on whom you ask. When finally adopted, the regulation, unlike a directive, will take effect throughout the EU without the need for country-by-country legislation. The regulation will make far-reaching changes that could impact any business collecting and using the personal data of EU residents.

This article provides a starting point for U.S. businesses that will need to find a way to deal with these changes. First, we discuss the broad scope of the EU Regulation and the risks and burdens it will impose on U.S. companies. Then we suggest some steps that U.S. businesses should be taking now to prepare for the change.

The Scope of Regulation

EU data privacy law has always applied to the activities of any company that has a place of business (or, in EU jargon, an “establishment”) physically located in the EU. However, under the existing directive, U.S. companies without an EU establishment are not subject to regulation when they collect the personal data of individuals who reside in the EU unless the U.S. company collects or processes the data using equipment located in the EU. As a practical matter, this excludes coverage for most small and mid-sized U.S. companies that collect personal data from EU residents only as a part of their normal online sales process.

The new regulation would expand coverage significantly. It distinguishes between data controllers and data processors: the controller is the person or entity in charge of the collection and use of data, while the processor is just that – the entity that actually performs the data operations. They can, of course, be the same or different entities. Under Article 3, the regulation will continue to cover “the processing of personal data by controllers or processors with an establishment in the EU.” Finding 19 states that an “establishment” in the EU involves “stable arrangements,” whether in the form of a branch or a separate corporate subsidiary.

The major change in scope is the extension of coverage to companies merely because they collect data from EU residents, even though they have no established operations in the EU. Under Article 3, the regulation will apply to the processing of personal data of residents of EU countries by a controller not established in the EU, where the processing activities are related to (a) the offering of goods or services to such EU residents; or (b) the monitoring of their behavior, which can include tracking and profiling internet activities for the purpose of analyzing or predicting preferences.

If an EU resident believes that a U.S. company has violated the regulation, she can choose (under Article 75) to bring suit in her home country, which is mandated to “enforce the final decisions” of its courts. While the enforceability of a judgment against a U.S. company presents thorny questions of international jurisdiction, this is not an empty threat. If the U.S. company had property in the EU, a European court could order the seizure of that property to satisfy the judgment. If not, the EU plaintiff would have to bring the judgment to an American court for enforcement against the company’s property here. A U.S. court could enforce the judgment so as long as the U.S. company did a non-trivial amount of business (had “minimum contacts,” in jurisdictional jargon) in the EU.

In addition to the risk of a lawsuit, a U.S. company that violated the regulation would be subject to significant administrative sanctions under Article 79. The sanctions are supposed to be painful – they are specifically required to be “effective, proportionate and dissuasive.” The penalties will vary depending on the nature of the violation, but can range up to one million euros or 2 percent of the violator’s worldwide turnover. As in the case of private judgments, the EU privacy authorities’ ability to collect such penalties would depend on the principles of international jurisdiction discussed in the previous paragraph.

Taken together, these changes present a clear danger for U.S. companies doing business in the EU. The coverage of the new regulation is broad, the penalties for noncompliance are severe, and the penalties may be enforceable against any U.S. company doing any meaningful amount of business with EU residents. Ignoring EU data privacy rules will no longer be a viable option.

The Regulatory Burden

At a high level, the regulation seeks to achieve objectives that enjoy widespread support: fair and transparent data collection, avoiding the collection of excessive amounts of data or the retention of data that is no longer needed, ensuring that collected data is accurate, requiring consent to the use of collected data, and ensuring that collected data is stored securely. While the U.S. shares those high-level objectives, U.S. law is also acutely aware of the commercial cost of pursuing those objectives and therefore seeks to strike a balance. There is no comparable sense of balance in the regulation. As a result, it lays down rules that protect individuals admirably but impose potentially significant new commercial costs and burdens on businesses. Some of the more significant changes are:

Planning for the Change

Most observers think the final adoption of the regulation is two to four years in the future. However, the potential changes are so sweeping, and the potential costs of noncompliance are so severe, that it would not be prudent for any affected U.S. company to wait until the last minute to develop a plan for dealing with the regulation.

The high-level theme of the proposed regulation is one of limitation: In a technical environment that offers ever-expanding and increasingly sophisticated ways to collect and use personal data, the EU wants companies to abruptly head in the opposite direction, by limiting what personal data they collect and use and by developing the ability to respond to inquiries and requests from individual EU residents about the nature and use of their individual personal data. For many companies, this will require a fundamental change in the way that they collect, store and use personal data.

There are at least three specific steps that any affected U.S. company should be taking now to prepare for this change. First, each company should do a careful assessment of its internal data polices to ensure that it understands exactly what personal data it is collecting and how it is storing and using that data. In doing so, it must bear in mind that the regulation broadly applies to any information relating to an identified or reasonably identifiable natural person, whether it is in electronic form or written files. Second, each company should match its current data collection practices with its actual business needs, and develop and implement uniform, documented policies that ensure that it is collecting and retaining only personal data that is actually needed. Finally, each company should ensure that it is using generally accepted best practices, by U.S. standards, in the way that it provides data security. All of these steps have the dual advantage of improving the handling of data in the United States, while starting the process of preparing for the dramatic changes coming in the EU.

Main Menu