EU Reforms Extend the EU's Reach to U.S. Companies
What do proposed European Union (EU) privacy reforms mean for U.S. companies? Since 1995, the EU has attempted to apply its data protection regulation to U.S. companies whose business involves data about EU citizens. In late 2011, the European Commission (EC) released a draft data protection "Regulation" to supersede the 1995 law. Unfortunately, the draft Regulation seeks to exert even greater extraterritorial influence than current EU law. On the plus side, it also promises some valuable legal clarification and procedural streamlining to aid international data transfers.
U.S. companies physically established in Europe, as well as U.S. businesses merely offering online resources to Europeans-like social networking, cloud computing, mobile apps or targeted advertising, should examine their exposure to the potential Regulation. Opportunities remain to influence the Regulation's final form.
Distrust of Online Data Flows
The draft Regulation appears to target U.S. online companies in a series of proposed amendments. Currently, a U.S. company must have a physical presence in the European Union or make use of EU "equipment" in order for EU privacy law to apply. Privacy regulators in Europe have grown frustrated under this arrangement by their inability to subject foreign businesses-often U.S. website operators, social networks, mobile application providers and targeted advertising firms-to EU privacy rules. The Regulation would help by establishing jurisdiction over foreign businesses that direct online content to EU individuals or monitor them online. Other amendments would bring under the operative definition of "personal data" the types of information that drive many online, mobile and advertising services-such as IP addresses, cookie identifiers and device numbers.
The Regulation would require changes to ordinary online practices and business models. In many cases, U.S. online companies would need to obtain an EU individual's specific opt-in consent before monitoring online behavior or sharing data with third parties. Notices would be more frequent and more detailed. Extensive requirements to respond to an individual's data access requests would impose technical challenges and administrative costs. Furthermore, the new "right to be forgotten" and "right to data portability" espoused by the draft Regulation seem squarely directed to U.S. social networking sites that apparently hold on to individuals' data longer than EU privacy regulators would prefer.
These amendments are concerning, because the draft Regulation ramps up enforcement powers. U.S. companies that direct online services to Europeans or monitor them online or via a mobile device would be required to appoint a representative in Europe. Covered companies would have to keep extensive compliance documentation. EU data protection authorities could exact up to 5% of a company's annual revenues if certain Regulation provisions were violated. The existing private right of action would continue. Historically, levels of enforcement of EU privacy laws have been low, although regulators have frequently directed their limited resources to scrutinizing U.S. activity. There is no reason to believe that adoption of the Regulation would change this tendency.
Cross-Border Transfers Must First Get Through Europe
U.S. companies are likely to see substantial simplification in EU rules governing international transfers, should the Regulation be adopted. But greater harmony across EU Member States does not necessarily imply workable privacy rules. If anything, the Regulation is designed to expand EU authority over cross-border transfers, in an attempt to ensure that EU rules apply wherever EU citizens' data flow around the globe. Those rules imply expensive technical and administrative controls and legal liability that will increase the costs associated with personal data handling.
For example, the EC seeks to streamline the approval process for "binding corporate rules" (BCRs) for global transfers of personal data. Once a Member State data protection authority approves a company's arrangements, no further approvals from other regulators are required, with some exceptions. Yet, the complex, probing and risk-generating requirements to achieve BCR approval mean that, like today, only large companies with ample resources likely could take advantage of BCRs. This is disappointing, as the EC stated goal of reform was to place BCRs within the grasp of smaller and developing firms.
Making a Better Draft Regulation
Existing EU privacy law has drawn criticism for red tape and more generally, a distrust of everyday data flows that are economically important and not clearly injurious to privacy. Like its predecessor, the new draft Regulation is susceptible to these criticisms. As written, it may not result in a net benefit for U.S. companies that have sought sensible, cross-border privacy solutions.
Yet, while the EC remains focused on data protection reform, U.S. companies have an opportunity to improve the end product. The EC appears keen to harmonize standards across EU Member States, clarify legal requirements and streamline international data transfers. Suggestions in these areas could fall on receptive ears. Furthermore, the 2010 Digital Agenda for Europe, which partially motivated the EC's data protection reform, makes "smart" economic growth a top priority, with the Internet playing a central role. U.S. companies may argue from experience that to produce such an outcome, Europe must nurture online innovation and permit free flows of data. The draft Regulation is a hundred pages of technical and expensive requirements that would tend to limit a budding enterprise's access to data and require expert privacy counsel. The EU cannot expect dramatic progress toward the "information society" if it sticks to more or less the same 1995-era privacy approaches. 2012 is the time for raising these concerns with EU leaders, as the Regulation will set EU data protection requirements for years to come.
The authors thank Wiley Rein's Brandon Moss, a member of the Virginia bar, who contributed to this article.