satelliteIn the wake of the Edward Snowden revelations, many nations expressed shock and dismay over the mass surveillance of their citizens and governments. In turn, on March 12 the European Union (EU) Parliament passed a resolution and new law relating to data privacy. This will have profound implications for every U.S. tech company, as well as anyone who uses the internet.

Recommended by the EU Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE), the resolution includes a direction to block negotiations between the U.S. and EU on the Transatlantic Trade and Investment Partnership (TTIP) unless the U.S. government implements much stronger data privacy laws. This would entail ensuring that private companies could not misuse citizens’ data for their own gain.

Moreover, the Parliament approved a second LIBE recommendation to develop and strengthen the EU’s own IT and cloud storage industry law as a privacy-respecting alternative to the U.S.-controlled internet. Parliament also approved a massive EU reform package (known as the General Data Protection Regulation) designed to strengthen and centralize EU data privacy. Penalties for breach include a stunning maximum of 5 percent of annual gross revenue. U.S. companies will have to comply with these new EU laws or face this massive penalty.

In The Spotlight

Parliament also addressed foreign government requests for information. Under the new rules, any search engine, social network or cloud storage service will require authorization from an EU data protection authority before disclosing personal data of EU citizen to a third country, and to inform the individual in question. U.S. firms are worried that this potentially would put their EU legal obligations in direct conflict with U.S. rules requiring them to keep silent about such government requests.

The EU has always had more extensive laws than the U.S. on data privacy. But until now, the EU concerns about data privacy misuse had been addressed through a mechanism called the Safe Harbor Framework.

Under the Framework, which was jointly developed in the 1990s by the U.S. and EU to address EU data misuse concerns, U.S. companies could self-certify that they satisfied Framework guidelines by requiring compliance with seven fundamental Safe Harbor privacy principles. These included notice, choice, onward transfer, access, security, data integrity and enforcement. In turn, certified companies could engage in trans-Atlantic data transfer without fear of prosecution by EU member authorities for data misuse.

The March 12 Parliamentary vote means the EU now considers the current Safe Harbor Framework to be inadequate. U.S. tech companies are very concerned about the resulting uncertainty and potential exposure for them, without an operating Framework agreement. It will therefore be critical for the EU and the U.S. to negotiate a replacement agreement.

U.S. companies may have to meet or exceed EU standards even if they do no business in Europe.

If the General Data Protection Regulation passed by Parliament becomes law later this year, non-European companies will have to obey EU data protection laws if they operate in the EU market. U.S. companies may have to meet or exceed EU standards even if they do no business in Europe.

The U.S. reaction to Parliament’s actions is still an open question. However, based on its recent reaction to the LIBE recommendations and EU calls for reform, the U.S. likely will put up some resistance to the EU demands. The recent actions taken by the Federal Trade Commission (FTC), which has responsibility for Safe Harbor enforcement, may also offer some clues as to what the future holds.

For years, the FTC was subject to criticism that suggested its Safe Harbor enforcement was lax. However, since the Snowden disclosures the FTC has been noticeably active. In February 2014, the FTC settled with an online gaming company who it alleged had falsely claimed to be certified under the Safe Harbor Framework. In January of 2014, the FTC also announced it was settling enforcement actions against 12 other companies also over false Safe Harbor certification. Some see the recent ramp-up in enforcement action as motivated by the Snowden fallout and a desire to demonstrate to the EU that the U.S. is serious about data privacy.

Surprising to many, the FTC actually brought quite a few data privacy cases over the years, including some against prominent players. The problem: violators did not suffer any significant consequences.

In 2009, the FTC investigated Facebook’s privacy practices, charging it had exposed users personal data who had previously set their privacy setting to “private,” and made misrepresentations about access granted to third party apps. The accusations included violations of the Safe Harbor Framework. However the FTC settled the Facebook claims without imposing financial penalties. Facebook was simply required to make certain promises.

In 2011, the FTC charged Google with using deceptive tactics and violating privacy promises when it launched its social network Google Buzz. The allegation stated the company failed to give consumers notice and choice before using their information for other purpose than indicated. Google agreed to a settlement with the FTC under which it promised not to misrepresent consumer control over the collection of information. The FTC also had to implement a comprehensive privacy program.

However, a few months later, Google was in trouble again. The new allegation indicated Google placed an advertising tracking cookie on Safari users, but told those users the cookies were blocked. The FTC also claimed Google had violated the previous settlement. This time, Google agreed to pay a record $22.5 million penalty to settle the charges. While the settlement was the highest amount for the FTC, it likely still was not large enough to constitute a real deterrent to companies of Google’s size.

The FTC also is contemplating new ways to regulate data privacy. In December 2012, the FTC issued orders requiring nine prominent data brokerage companies to provide the FTC with detailed information about how they collect and use data about consumers. Currently, there are no laws requiring data brokers to maintain the privacy of consumer data unless the brokers plan to use that data for certain purposes.

The FTC has indicated it will continue to study privacy in the data broker industry. As a result, some speculate the FTC will issue mandatory rules about data collection. However, to date, the FTC has not issued any report or guidelines based on the data broker information.

The FTC is clearly sensitive to EU criticism of its enforcement. In November 2013, the European Commission Vice-President Viviane Reding delivered a speech in which she called upon U.S. lawmakers to develop new and comprehensive U.S. data privacy legislation.

The FTC, clearly smarting from Reding’s comments, took the unusual step of responding publicly. It pointed out their current study of data brokers’ practices and reiterated its commitment to vigilant Safe Harbor enforcement. It also mentioned that it supported the development of an international alert mechanism that participating countries could use to keep each other informed of privacy investigations.

In The Spotlight

Aside from the FTC, other government action has been much more tentative. In 2012, President Obama proposed a Consumer Privacy Bill of Rights, but Congress did not express significant interest and, as a result, the Administration did not push it. In January 2014, the White House announced it would form a working group to study data collection and its implications. Meanwhile, the U.S. Department of Commerce began crafting a Privacy Bill of Rights, but it is uncertain whether it will garner much support in Congress or from industry.

While the increased FTC enforcement is laudable, it clearly has not been enough to pacify the still-furious EU. Further, it is worth noting that the FTC’s enforcement cases dealt with misrepresentations by companies as to certifications and representations regarding privacy practices, not the acceptability of the underlying privacy practices.

The EU Council of Ministers (representatives of the national governments) still has to approve the EU Parliament Regulation before it can become law, and there may be friction between the various EU nations about whether it is too strong or weak. But clearly, the U.S. government now will have to consider creating new laws to prevent data privacy misuse on a pressing basis. Failure to do so may endanger U.S. companies doing business in Europe, as well as collapse the TTIP deal that the U.S. government hopes will stimulate the economy.


Helena Sullivan
About The Author Helena Sullivan
Helena D. Sullivan, an attorney with Barnes, Richardson & Colburn, LLP., concentrates on the representation of importers who have issues of compliance with U.S. Customs law, exporters who have issues relating to U.S. export control laws, and other international regulatory issues relating to trade. A former Law Clerk to Judge Thomas Aquilino at the U.S. Court of International Trade, she is admitted to practice law both in the State of New York and in the province of Alberta, Canada.

You don't have permission to view or post comments.

Quick Search

FREE Impact Analysis

Get an inside perspective and stay on top of the most important issues in today's Global Economic Arena. Subscribe to The Manzella Report's FREE Impact Analysis Newsletter today!