European Commission Offers a New Data Protection Deal
U.S. companies heard directly from Viviane Reding, vice president of the European Commission (EC) and European Union (EU) justice commissioner, in late November about anticipated reforms to the keystone EU Data Protection Directive (Directive). (Privacy In Focus profiled Ms. Reding's ambitious agenda for data protection reform in "EU Guns for U.S. Online Operators" (April 2011) and "Charismatic EU Regulator Seeks Privacy by Design" (March 2010)). Although EU Justice Commissioner Reding postponed the anticipated release of reform legislation to early 2012, she previewed substantial changes to EU data protection law. A November 29 draft of the regulation subsequently has become public.
Speaking to groups largely populated by U.S. companies, Reding may have sought to build political support within U.S. industry for her proposals. If adopted, U.S. companies doing business in Europe could benefit from a more workable and consistent set of rules. But in the bargain, EU regulators' extraterritorial powers could be enhanced, and EU rules could disrupt business models.
Harmonization and Simplification
The EC appears especially attentive to complaints that fragmentation within EU privacy regulation is costly for EU and international businesses. Despite the common Directive, each EU Member State has substantial discretion to set rules for the handling of personal information and to exercise regulatory oversight. Consequently, multinational businesses face 27 different privacy regimes and regulators in Europe.
Forcing anything like a uniform EU standard would provoke substantial resistance from the Member States and their national data protection authorities (DPAs). So, Ms. Reding seems to be offering a compromise "full faith and credit" system. Details are thin, but Member States potentially could be barred from requiring more from a company than is required by the sister Member State in which the company has its "main establishment." Thus, U.S. companies with such an EU "establishment" could enjoy a single national standard when collecting, sharing and using personal information within the European Union.
U.S. companies don't often hear EU privacy authorities say they want to "drastically cut red tape by eliminating unnecessary costs and administrative burdens to create a more business-friendly regulatory environment." Ms. Reding apparently has heard the critique that the Directive's approach to data processing has often failed to deliver "legal certainty" or "real value." For example, she calls for eliminating the requirement to give DPAs notice of personal data collection and handling, which is notoriously inconsistent in its implementation. It remains to be seen what other simplification measures might emerge in the 2012 legislation.
Revitalizing Binding Corporate Rules
Ms. Reding is also responding to calls to streamline the movement of personal data out of Europe. The Directive generally prohibits transfers outside the European Union, absent a "legal basis" for enforcing EU privacy standards abroad. Currently, many U.S. companies find no good option for establishing a legal basis for EU transfers, due to regulatory limitations, exposure to EU courts and regulators, inconsistent EU Member State requirements, or, as acknowledged by Ms. Reding, the substantial investment of time, expertise and cost implied. In particular, disappointing results have emerged from the EU privacy regulators' scheme for approving the "binding corporate rules" (BCRs) of a global company. Only a few of the largest multinationals have undergone the lengthy, complex process, which requires coordination with multiple Member State regulators and demonstration of deep internal privacy controls.
Ms. Reding seeks to revitalize the BCR process by, again, imposing a degree of preemption on local Member State data protection authorities. A U.S. company apparently could elect a "single point of contact" among EU privacy regulators. After the lead regulator approves the company's "corporate rules" for safeguarding privacy across borders, all DPAs would be bound to allow personal data exports pursuant to the BCR, without requiring "additional national authorization." U.S. companies stand to benefit from a more workable option for obtaining legal certainty, and may wish to support the EC in this regard.
Before lending their support, however, U.S. companies should understand Reding's firm position that EU law and enforcement powers must apply after personal information is transferred from the European Union. For her, cloud computing, social networking, outsourcing and easy global data flows would simply make a mockery of EU fundamental privacy rights unless EU restrictions travel with the data. Accordingly, the price for U.S. companies of Ms. Reding's reforms may be more explicit agreement to the extraterritorial reach of EU laws, regulators and courts.
Wait for the Other Shoe to Drop
Although Commissioner Reding nods to key issues for U.S. businesses, her regulatory outlook remains firmly grounded in EU privacy principles. She is unequivocal in her call for EU protections to apply when EU data is moved offshore or to third-party vendors. She favors strong enforcement, and greater powers and resources for DPAs. She rejects the notion of "self-regulation"-a favored approach in the United States -unless there is "strong, legally binding regulation in the first place." In an era of fluid data collection and sharing, she wants individuals to have meaningful control over their information and a right to be forgotten. Any of these elements could, depending on implementation, substantially disrupt global business that involves EU information. Thus, U.S. businesses should carefully weigh whether Ms. Reding's offer would yield a net plus.