The European Union (EU) has been in the news lately for all the wrong reasons. Italy was hit hard by the recent recession period and is still working to reduce its public debt, and Greece just received its second bailout in two years; this in the form of a $172 billion loan (that’s €130 billion). However, while the EU struggles with maintaining the stability of a multinational currency and holding together 27 different economies, great strides are being made in other areas of governance.
Earlier this year, as United States Congressmen scrambled to respond to the public backlash against SOPA/PIPA, the EU was busy overhauling their Data Protection Directive. As the lawyers on Reed Smith‘s Global Regulatory Enforcement Law Blog noted, this Directive (officially released on January 25, 2012) was designed to give more control to internet users over personal data:
“The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens’ privacy protections in the age of the Internet.”
In stark contrast with SOPA/PIPA (which was fueled by various entities in the entertainment industry), the EU Directive is aimed at giving more control to consumers. The Directive also provides a multi-tiered enforcement approach, wherein small and medium sized business are treated differently from multinational corporations (again from Greg Jacobs, Cynthia O’Donoghue, and Nick Tyler of Reed Smith) :
“There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.”
The new draft of this Directive overhauls certain provisions of the old version, and adds a few new wrinkles to help protect individuals, but as Ellen Temperton of Lewis Silkin points out on the Global Employment Law blog, the impetus for changing the Directive was not just to protect consumers:
“The main aim is to remove inconsistencies created by the 27 EU member states having implemented the Directive in divergent ways and the consequent burdens for business. The proposals also attempt to reflect the rapid advances in technology since the Directive first came into effect.
The changes include a mandatory obligation to report data security breaches promptly and, where feasible, within 24 hours. At present, very few member states have compulsory rules requiring infringements to be notified. In addition, substantial powers to levy fines are proposed – between 0.5 and 2% of an organisation’s global annual turnover.”
Now, to be fair, comparing the U.S. Congress’s SOPA and PIPA (and even the newest incarnation, OPEN) to the EU’s Data Protection Directive is like comparing apples to oranges. SOPA and PIPA were designed to deal with consumers “pirating” materials, whereas the EU Directive was created with the consumer’s data in mind, not the corporation’s materials. That being said, it is interesting to note that the U.S. lacks these types of regulations even as we create laws to protect corporate interests.
While lawmakers are moving to address that concern, there are still stories on a daily basis where the FTC or some other body of government has to wag its finger at a business or developer regarding the use and storage of consumer information. Colin Zick, an attorney with Foley Hoag and author on the firm’s Security, Privacy, and the Law blog, has an interesting take on the lack of control we have over our personal information online, and what lawmakers are doing to address that concern:
“If you haven’t Googled yourself in a while, this might be a good time. My own self-search reveals, among other things, a page at mylife.com. I didn’t put it there, and I’d rather it not be there. However, right now, there isn’t a right to have your personal or professional information be deleted from social media, review sites, and other types of websites that gather your personal information. However, legislation may be coming that will address this concern.”
Mr. Zick’s post, entitled “The Right to Be Deleted”, goes on to quote a story from the Wall Street Journal, which discusses what legislators are doing in the U.S. to respond to consumer concerns. From the Journal (you must have a subscription to the WSJ to read the full article):
“Lawmakers and regulators are trying to do more to address consumer concerns. There is no U.S. law, as there is in Europe, requiring companies to allow people to view or delete their personal data on file at an institution. Last year, Sens. John Kerry (D., Mass.) and John McCain (R., Ariz.) introduced legislation that would require most data brokers to let people view and make corrections to the personal data stored about them. The White House is expected to call for similar rights when it releases its “Privacy Bill of Rights” later this year.”
One of the interesting aspects of Internet regulations on a nation-by-nation basis, is no matter where they originate someone else eventually has to deal with those laws. In a way, it’s analogous to environmental legislation. As nation-states create laws that place restrictions on businesses, neighboring nations (or countries that find themselves politically aligned with environmentally-friendly nations) are often forced to at least investigate the reasoning behind those restrictions. W. Scott Blackmer, a founding partner of the InfoLawGroup and author on the InformationLawGroup blog, wrote an in-depth and insightful post on the problems with “transborder data flows”, and how new regulations can complicate businesses that rely on the transfer of data from one nation to another through the internet:
“The proliferation of comprehensive data privacy laws, more or less on the European model, increasingly requires US-based multinationals and online companies to adapt to strict requirements for dealing with individuals in other countries. While the rules may soon become more uniform in the EU, they are still new and uncertain in many other countries.”
In the case of these new regulations, Mr. Blackmer brings to light some of the problems that may arise in the course of international e-commerce:
“Less welcome are the provisions on extra-territorial jurisdiction in the draft Regulation. A US company, for example, would be subject to the Regulation if it offered goods or services to European residents, online or otherwise, or if it monitored their behavior (for example, by tracking their visits to other websites). This assertion of extra-territorial jurisdiction could prove difficult to enforce, but it would require American companies to re-think their approach to e-commerce and online marketing. It may not suffice in future to say that European rules do not apply simply because the company’s servers are not located there.”
While national governments ultimately reserve their soverign rights when deciding to adopt new regulations or maintain the staus quo, not all entities are as lucky. As Mr. Blackmer points out, corporations and industries must adapt. We saw this when Google increased its presence in China, and was forced to adhere to a new standard set by the Chinese governement. In this case, the legal industry has its own choice. It can take note of European Union’s new language in its Directive or choose to ignore it. In that vein, the ABA released a statement urging U.S. courts to:
““consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from such laws, with regard to data that is subject to preservation, disclosure, or sought in discovery in civil litigation.”
That quote (from a post written by Cynthia O’Donoghue, David Cohen, Nick Tyler, and, Regis Stafford on the Global Regulatory Enforcement Law Blog) would seem to allude to the recent changes in European law, which as the attorney-bloggers at Reed Smith point out, is literally a “game-changer”:
“Such sanctions represent a ‘game-changer’ in the current risk profile and choices presented to multi-nationals faced with U.S. discovery requirements demanding the transfer of personal data held by EU affiliates in breach of EU data protection laws.
Current U.S. jurisprudence will now be tested – up until now the U.S. courts have tended to strike the balance in favour of compliance with U.S. rules on the basis that there is no realistic prospect of prosecution in Europe for an enterprise which breaches EU cross-border transfer restrictions. See In Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 2007).”
Obviously, this sort of conflict between national regulations, international business, and individual rights is inherently complex. Especially when the conflict arises from disagreements over how to handle nebulous concepts like “the internet” or “the environment.” It becomes even more complicated when you add other complex systems to the mix, like commerce and jurisprudence. Legal practitioners, business owners, and internet users everywhere are going to have to learn how to adapt as more people, money, and regulations become a part of the internet.
If you want more on this story, check out The LexBlog Network’s “library” of posts on the EU Data Protection Directive.