International Implications of the EU General Data Protection Regulation

By Lexi Rubow

In April 2013, the European Parliament is expected to finish drafting a new tech privacy regulation, titled the “General Data Protection Regulation” (GDPR). The regulation is intended to be a comprehensive reform to the current directive on data protection, passed in 1995 (95/46/EC). The European Commission proposed the legislation in January 2012, and the first draft regulation was published in January 2013. Currently, the European Parliament and European Council are reviewing the draft. As the European Union represents a very substantial technology market, the regulation has garnered a great deal of attention from private technology companies and non-European governments alike.

Through this regulation, the EU intends to improve upon its current privacy regime, which is segmented and results in confusion and inconsistency when technology companies operate in more than one EU country. Further, technology has evolved considerably since the 1995, creating new issues regarding data collection and aggregation that the current directive does not address.

The proposed legislation seeks to improve the consistency in privacy law across member states. It does so in two ways. First it creates a regulation, rather than a directive. The 1995 law was passed as a directive, which requires each member state to achieve a certain result, but leaves the means of achieving that result up to the determination of each member state. In contrast, the GDPR has been introduced as a regulation, which means that the scheme it lays out would be binding on all member states in its entirety.  Second, the GDPR would assign a Data Protection Authority (DPA) to technology companies doing business in multiple member states. Rather than being liable for fines in every member state individually, these companies would answer to their DPA, according to its “main establishment.” Third, the regulation would create a system of oversight that makes sure that different DPAs apply the laws in the same way.

The provisions of the proposed regulation are as follows:

  • Companies acquiring data must be more transparent, informing the consumer about the purposes of data collection, consequences of not providing data, and the period for which the data will be retained.
  • Consumers must be allowed to access their data and transfer it from one service provider to another.
  • If a data breach occurs, the company must notify the appropriate DPA within 24 hours of the breach, if possible.
  • “Right to Be Forgotten” provision: This gives users the option to wipe the slate clean by deleting their personal data if there is “no legitimate grounds for retaining it.” This provision is geared towards young people who unwisely share incriminating data on social media profiles that may affect their ability to obtain a job later.

Violation of the regulation may result in penalties up to 1 million Euros or 2% of the global annual turnover of the company.

US tech companies and media, as well as the US government, are strongly opposed to the proposed regulation. For example, Google’s Global Privacy Counsel, Peter Fleischer, has warned that this regulation will “stifle innovation.” He is particularly concerned about the “right to be forgotten” provision, calling it a violation of free speech “more pernicious than book burning.” In similarly hyperbolic speech, Time Magazine likens the “right to be forgotten” provision to the “memory hole” in 1984, equating the 1984 government practice of cleansing history by destroying unpleasant records to allowing people to manage their online biographical presence. While some consumer protection groups have expressed their support for the proposed regulation, President Obama has sided with the media and technology companies, fearful that the US tech industry will suffer as a result of the EU’s increased restrictions.

This difference of opinion is characteristic of an ongoing tension between Europe and the United States as to the relative importance of freedom of expression and the right of privacy. While the United States has a long civil history of resisting government surveillance and other forms of invasion of privacy by the government, in most other contexts the First Amendment right to free speech reigns as supreme. Regulations restricting businesses’ ability to retain consumer data are seen as an encroachment of freedom of speech and privacy concerns are only allowed to prevail in certain circumstances, such as medical records. The histrionic language used by Fleischer and Time Magazine exemplify the American tendency to fear government censorship far more than private company intrusion.

Europe’s policies, on the other hand, are driven by the conception of privacy as a civil and human right. The protection of personal data is even explicitly recognized by Article Eight of the EU’s Charter of Fundamental Rights. Thus, rather than viewing freedom of expression as paramount, Europe seeks to protect its citizens’ private data, with narrow exceptions where data collection without permission is deemed acceptable.

While this conflict between the US’s constitution, which seeks to protect citizens by limiting the government’s power, and Europe, which generally seeks to protect citizens through affirmative government intervention and legislation, has existed for a long time, the conflict is particularly acute in the realm of technology law, which blurs national borders and often results in the cohabitation of regimes in the cybersphere. In this context, companies of one nation must comply with multiple regimes at once. As a result, they often choose to comply with the most stringent regulations, so that they don’t have to worry about modifying their policies for each sphere or accidentally violating a law.

Thus, since the EU comprises approximately one third of sales for US technology companies, the regulations passed in the EU will likely have great effect on the United States, as technology companies move to comply. US technology companies and the US Commerce Department have realized this significance and have sent lobbyists to Brussels, where the European Parliament is based. On the one hand, implementing privacy regulations in this way gives the EU more leverage to influence the international privacy law regime than it would through traditional harmonization-oriented treaties. In traditional negotiations the United States often demands to be exempted from certain provisions, as it did when accepting the Berne Convention, where it cannot determine the course of the legislation outright. However, since these regulations do affect consumers worldwide, at some point the international community may need to address these issues at the global scale.