EU Guns for U.S. Online Operators
Must a U.S. company whose online offerings are available anywhere in the world comply with international privacy law, and in particular, the European Union (EU) data protection regulations? The extraterritorial application of privacy law—especially by the EU—has been a contentious issue for over a decade and is now heating up with respect to cutting-edge new media applications.
EU authorities are now in the process of updating the keystone Data Protection Directive, apparently to reaffirm its extraterritorial reach. Viviane Reding, vice president of the European Commission and EU justice commissioner, recently asserted that European privacy standards should apply "independently of the area of the world in which [Europeans'] data is being processed," such that "any online product that is targeted at EU consumers must comply with EU rules." Further, she spoke in favor of giving EU privacy regulators power to investigate and bring legal proceedings against non-EU companies whose online services target EU consumers.
EU privacy regulators have long argued that, when a U.S. online operation places a cookie on the hard drive of an EU individual's computer or mobile device, the U.S. operator avails itself of EU equipment and, accordingly, becomes subject to EU law. Risks for U.S. companies under this aggressive interpretation will heighten come June 2011, when a new directive goes into effect requiring EU individuals' prior, informed consent to the placement of cookies.
If a U.S. business has EU assets, EU business partners or an online offering directed to Europeans, it should consider the existing requirements of the EU Data Protection Directive, the amendments under discussion and industry's reaction to the new cookie directive. Some level of compliance with EU law could be the prudent step for a U.S. company.