The Increasing EU Privacy Squeeze

February 29, 2016

Negotiators from the United States and the European Union recently reached an agreement on the new Privacy Shield data transfer pact. This agreement replaced the previously invalidated Safe Harbor agreement between the two continents. In a blog post, we explained that this agreement is mostly good news. Now online advertisers who rely on data transfers between the EU and U.S. for their business will be spared from having to create expensive and complex new transatlantic data transmission methods. Nevertheless, the acceptance of this new framework demonstrates the accelerating worldwide trend to impose cross-border privacy policies. The internet is making it increasingly difficult to reconcile disparate and potentially conflicting legal and social norms in regard to privacy between different countries and even continents. The EU is clearly trying to maximize its leverage over data transfer to enforce its outlook particularly regarding online privacy and data protection on U.S.-based companies.

Three important recent developments exemplify these trends:

Right to Be Forgotten

The first example relates to the so-called “Right to Be Forgotten.” In 2014, the European Court of Justice, the EU’s supreme judicial body, ruled that Google must take down data on EU citizens that is “inadequate, irrelevant, no longer relevant, or excessive in relation to the purposes for which they were processed and in light of the time that has elapsed.” It was not initially clear how far the “Right to Be Forgotten” would be extended, but in July 2015 France began pressuring Google to apply the ruling worldwide. In response, Google rejected the French government’s request stating, “If the Commission Nationale de l'Informatique et des Libertés (CNIL)’s proposed approach were to be embraced as the standard for internet regulation, we would find ourselves in a race to the bottom. In the end, the internet would only be as free as the world’s least free place.”

Google later went even further to accommodate their business practices in response to these pressures. Google agreed, for example, to block French citizens from being able to access Google sites not only in the EU but in the U.S., where information had been removed due to a Right to Be Forgotten determination. Google, however, rightly adamantly refused to censor information on its U.S. sites from being accessed by U.S. participants of their services. Increased regulation based on the Right to Be Forgotten outside of the EU would be extremely misguided and threaten bedrock speech freedoms in many countries, and particularly the First Amendment interests of the United States.

European Demands and Federal Trade Commission (FTC) Enforcement

Second, as part of the new Safe Harbor Privacy Shield agreement, the EU has signaled its desire to establish enhanced enforcement mechanisms for privacy protection in the United States. U.S. companies are expected, as part of the agreement, to make public privacy pledges that are acceptable to the EU regarding their use of consumer data. These pledges then will be able to be monitored and the Federal Trade Commission (FTC) will be empowered to penalize failure to adhere to these pledges.  

EU Pressure for Expanded U.S. Privacy Legislation

Finally, European policies are seeping into the United States through pressure on the Congress to develop new more stringent and encompassing privacy laws. An early signal of this trend is the recent passage of the Judicial Redress Act (HR 1428). The intent of this law is to give EU citizens an enhanced ability to sue in U.S. courts if they feel their personal data has been misused.

The Judicial Redress Act was drawn into the negotiations over the Privacy Shield pact, with the hope it would give an additional boost to the deal. Even though the transatlantic data transfer agreement was finalized before the Judicial Redress Act’s passage, it was hoped that the law would in the words of Senate Finance Committee Chair and Commerce Committee member Orrin Hatch, “build much-needed goodwill with our European allies.” While this law is limited in scope, it is likely that the EU will continue to push for far more sweeping U.S. privacy laws as the price for the continuing free flow of data between the U.S. and Europe.

Clearly, the EU’s increased push into the international legal sphere will have major implications for the United States and for the companies based here that wish to continue doing business in Europe. In the meantime, U.S. companies need to plan for a future in which the U.S.’s privacy policies are increasingly pressured to more closely mirror European and other international models.

You must be logged in to submit a comment.