The disparity between US and EU data privacy laws is a potential minefield
The May ruling by the European Court of Justice (ECJ) that declared Google not only a processor but also ‘a controller of personal data’ and requires it to sever links with third-party web pages containing sensitive information about individuals who so request this is a warning to US-domiciled companies that they can no longer afford to ignore the European Union’s (EU) strict data-privacy regime.
The ruling – the culmination of a lawsuit by Spain’s data protection authority on behalf of a Spanish citizen – enables any EU citizen to demand that Google remove him or her from search results; in other words, it invokes the ‘right to be forgotten’. Notably, the ECJ ruled that Spanish data protection law applies even if indexing of information by a search engine occurs in the US by virtue of Google’s promotion and selling in Spain of advertising space. The first day after releasing an online form for requesting link removals, Google received 12,000 such requests; that number had risen to 41,000 by the fourth day.
‘That’s a big vote for human rights over freedom of speech, which essentially has lost out to the continental European approach where greater value is being placed on privacy and personal integrity,’ says Marly Didizian, a partner in Linklaters’ outsourcing and data privacy practice in London.
There are many, many unanswered questions about the ruling that likely won’t be resolved until September, when common guidelines for how to interpret the Google Spain decision for the 28 EU member states are expected to be released. Those guidelines should help to clarify a consistent process for requesting link removals, criteria for such removals, and the appeals process if requests are refused.
A common understanding
The Google Spain decision came exactly two months after the European Parliament passed the draft Network and Information Security (NIS) directive, seen as an essential plank of the European Commission’s proposed cyber-security plan to establish measures that would ensure a high common level of network and information security across the EU. Some observers doubt the final regulations will be in place before 2015, with a two-year gap delaying implementation until 2017.
The disparity in legal treatment of data privacy between the US and EU stems from a core philosophical disagreement as to who should control personal information. The EU’s legal system prohibits the processing of personal data without a legal basis, while the US permits collection and processing of personal data unless a law specifically prohibits it. Additional differences include the fact that the US does not impose restrictions on data exports to other countries and has not established a national data protection commission.
Data is protected in the US according to the form in which it’s held under a patchwork of statutes, such as the Family Educational and Privacy Act of 1974 and the Video Privacy Protection Act of 1988. By contrast, the EU’s omnibus law protects data regardless of the entity that holds it or the kind of information involved.
Data privacy is also disadvantaged in the US thanks to the lack of a central data-protection authority. The closest the US comes to such an authority is the Federal Trade Commission (FTC), according to an article by University of California, Berkeley law professor Paul Schwartz published in the March 2013 Harvard Law Review. The severe constraints on the FTC’s authority as a protector of information privacy include the very narrow range of Fair Information Practices used in the US over which the FTC’s enforcement extends.
Since 2000 the Safe Harbor Privacy Principles, the product of negotiations with the US Department of Commerce, have given the European Commission some comfort that the personal data of EU citizens transferred to the US will be respected and protected as much as it is in Europe. But Safe Harbor is a self-certification process, which European authorities have been losing confidence in due to high-profile data breaches in recent years.
Not so safe?
The Snowden revelations last summer exacerbated EU authorities’ concerns over US privacy policies and led the European Commission to issue a memo last November to the European Parliament and the Council of Europe analyzing how Safe Harbor was working and suggesting improvements. Among the 13 recommendations was the suggestion that privacy policies posted on self-certifying companies’ websites should always include a link to the Department of Commerce Safe Harbor website, which would enable European data subjects to immediately verify whether a firm is currently a Safe Harbor signatory, thus enhancing the framework’s credibility.
Eroding confidence in Safe Harbor has led many US companies to seek more rigorous external certifications of their data practices by firms such as San Francisco-based TRUSTe, which uses a five-step process to assess risks related to how a company collects and uses data and who that data is shared with. The TRUSTe seal is awarded only after recommended improvements to the company’s data practices have been implemented. Subsequently, TRUSTe continues to monitor compliance using proprietary technology, occasionally initiating an investigation based on its monitoring or a regulatory or media inquiry.
Besides the US and Europe, demand for TRUSTe’s services is growing in the Asia-Pacific Economic Cooperation (APEC) zone, where the company is the first accountability agent for the APEC Cross Border Privacy Rules, according to TRUSTe director of global communications and EU marketing Eleanor Treharne-Jones.
Multinational firms usually create binding corporate rules that essentially commit the company to following European data protection rules anywhere in the world, says Seth Berman, executive managing director of Stroz Friedberg and head of its London office. Still, when a company is involved in a lawsuit and has data subject to subpoena that resides in Europe and is covered by EU data protection rules, the European subsidiary resists sending it to the US, he adds.
‘There’s an internal struggle at the company, with the American lawyers saying, You don’t have a choice – you have to turn this stuff over to the US, and the European side saying, We can’t do that; it violates the law.’
Best practices
Berman suggests some best practices to employ when working out how to comply with a court subpoena of data residing overseas. First is minimization: determining the least amount of data that can be transferred to be in compliance. Second, there should be a privacy review conducted by lawyers hired in Europe to sift through the data and see whether there’s any particularly sensitive information that can be redacted before the essential data is turned over or whose treatment while in court custody the company can negotiate. There is also ‘a series of agreements you can reach with both the opposing party [in the lawsuit] and the court to minimize the exposure of that data,’ Berman says.
The approach to production or reviews of data that’s been requested by subpoena or a regulator in another country varies from member state to member state in the European Economic Area, according to how strict each country’s data protection laws are, says Didizian. Her clients conduct reviews for legality and proportionality, assessing the applicability of various restrictions and workarounds relating to disclosure and cross-border transfer of personal data.
‘That includes assessing balance-of-interests-type workarounds, and weighing the interests of the disclosing party against the potential harm to the relevant individuals whose personal data may be disclosed,’ she explains. ‘That is a very case-specific assessment of any particular data disclosure.’
Didizian has been involved in discussions between parties subject to particular legislation or between a party to an investigation and regulators. These discussions have mapped out which bits of information a company will disclose while reserving the right to have ‘sensible exemptions’ where there are issues with privacy and confidentiality.
One example of this is the protracted effort that ensued with the introduction of Sarbanes-Oxley and the PCAOB when the initial legislation required accounting firms to hand over any information they held on any client throughout the world and entitled the PCAOB to disclose any of it to the SEC.
‘At the time, that led to a process of explaining to the PCAOB and SEC the various laws that might prohibit such disclosure,’ Didizian says.’ That level of education is no longer necessary because the courts and regulators in the US are now familiar with privacy restrictions.’
That explanatory and lobbying process led the PCAOB to issue new rules to specifically permit organizations to hold back data where there was a legal prohibition on its disclosure, primarily in the form of confidentiality and privacy agreements, as long as it was backed by legal opinion.
Arrangements resulting from court proceedings typically specify the degree of redaction that can and should take place and sometimes lead to extensive redaction exercises that teams of lawyers and paralegals are brought in to do, says Didizian.
The art of law
Even so, ‘a pragmatic risk-based assessment of the situation is often what’s called for, not just in this context but more generally in relation to European data-protection laws,’ she explains.
‘In many cases, total compliance with European data protection laws to the letter would lead businesses to grind to a halt because those laws are so restrictive. Complying with any law can be more of an art than a science, and complying with data protection laws across Europe is a particular art. Understanding the variations between countries – which are extreme in some cases – and understanding the actual approach regulators take on the ground is key to putting in place workable solutions.’
The board must pay attention to privacy laws in countries where a company’s customers live in order to ensure not only the company’s compliance but also that every vendor in its technology supply chain understands it is accountable in helping the company reach compliance, says Theresa Payton, founder and CEO of technology consulting firm Fortalice and former White House chief information officer under former president George W Bush. That’s especially relevant as more companies move data storage into the cloud.
‘When you outsource, the piece you outsource is your operations,’ she explains. ‘You have not outsourced your responsibility or your accountability to protect the data and your accountability to the privacy regulations. That has to be built into the contract with the service provider.’
Contracts should explicitly state that the company, whose customers are citizens of various countries, holds the vendor in compliance with both the privacy regulations and the data-breach notification laws of those countries, she adds.
Not all in favor
There are efforts afoot to harmonize US and EU approaches to data privacy. The NIS directive under consideration by the European Parliament calls for compulsory data-breach notification rules, which would start to resemble the US system if and when they emerge, Berman says. Similarly, the SEC is now insisting public firms have a framework for protecting private data or generally preventing data breaches.
‘It’s a complicated issue because people have mixed feelings about whether they really want to solve the problem,’ Berman explains. ‘To some extent, many in Europe think the reach of US law is too broad, and trying to aid US discovery is not [among their priorities].’
Then there are the Snowden revelations. ‘Those definitely made it harder to have this discussion because they increased the level of fear about data landing in the US,’ says Berman. ‘For both political and cultural reasons, there are some cross-currents that are pushing against solving this.’