While the specific outcome of this conflict will be interesting to follow, it will also be interesting — and important — to assess whether and to what extent this and other similar EU data privacy initiatives impact data privacy regulation and practice in the US.
The EU already influences US data privacy regulation and practice through its indirect regulation of companies that wish to transfer consumer data from the EU to the US. Because the EU has deemed US law as inadequate in protecting consumer data privacy, EU law prohibits organizations that collect data about individuals in the EU from transferring such data to the US absent an exception. The US and EU established the US-EU Safe Harbor in 2000 as such an exception. The Safe Harbor allows transfer of consumer data from the EU to the US so long as the organization in the US abides by the 7 Safe Harbor privacy principles (“Principles”) and annually self-certifies that it does so.
The 7 Principles deal generally with: (1) providing individuals with adequate notice regarding the purposes for which the organization collects and uses the information (“Notice”); (2) providing individuals with the ability to prevent disclosure of the information to third parties or using the information for purposes other than the purposes for which it was originally collected (“Choice”); (3) ensuring that onward transfers of the information are adequately safeguarded (“Onward Transfers”); (4) enabling individuals to access personal information that organizations hold about them and correct or delete any inaccuracies, subject to certain limitations (“Access”); (5) ensuring that organizations maintain reasonable security precautions with respect to the information (“Security”); (6) ensuring that organizations take reasonable steps to ensure that information is reliable and relevant for its intended uses (“Data Integrity”); and (7) ensuring that organizations implement and maintain adequate resources and procedures that allow affected individuals to effectively enforce the Principles and obtain redress when needed (“Enforcement”).
In the US, will the Federal Trade Commission (FTC) follow the EU understanding of what the Principles require, as reflected in the EU recommendations to Google, in its enforcement activities against US companies? For the first time, the FTC recently used the failure of a self-certifying organization to abide by the Principles as a basis for an FTC enforcement action under Section 5 of the Federal Trade Commission Act. Ironically, the unfair and deceptive trade practice action was against Google. Whose interpretation of the seven Principles will apply going forward? The generally more stringent standards of the EU regulators, or the typically more lenient standards of US law?
If significant discrepancies develop between the US and EU regulators in terms of what they believe Notice, Choice or any of the other Principles require of organizations, the current Safe Harbor framework may be in danger of collapse. What happens, for instance, if Google does implement many of the recommendations in the EU, but not in the US? Will the FTC take action against Google in the US? If not, it seems clear from the EU regulators’ investigation and subsequent recommendations that such practices violate significant pieces of EU data privacy protection law that are meant to be reflected in the Safe Harbor framework. The Safe Harbor has proved a successful means for bridging the gap between different data privacy regimes and traditions in the past, at least in terms of facilitating cross-border transfers of information. But that success may be in danger as EU regulators up the ante and US law remains static.
Of course, US companies such as Google have some incentives to import whatever data privacy practices they adopt in the EU, and which touch upon the Principles, into their US privacy practices. Doing so may help stave off legislation that would statutorily require such practices. This tactic — doing just enough to keep regulators at bay — has been a mainstay of the industry’s data privacy strategy for some time, whereby companies enjoy more wiggle room than they otherwise would under a more comprehensive data privacy regulatory system. Adopting EU-imposed practices in the US may also help keep the FTC at bay. If the FTC were forced to address whose interpretation of the seven Principles controls, it may elect to adopt the EU’s interpretations. In order to avoid that result and maintain as much wiggle room as possible, it seems that organizations in the US would best serve their own interests by implementing the bare minimum, even if it is a higher standard than what they followed previously.
Information privacy commentators often note that California data privacy law heavily influences other states’ privacy laws, as well as actual company practices, since so many companies operate nationally and implementing different data privacy practices on a state-by-state basis becomes onerous. As companies become increasingly global in their operations, EU privacy law may play a similar role on the international stage. It has already played this role in the US to some extent through the Safe Harbor framework. And for the reasons discussed above, EU influence on US privacy regulation and practice seems poised to grow. Indeed, ironically, the growing divergence between US and EU data privacy law and practices may ultimately lead to greater convergence.
Clark Asay is a Visiting Assistant Professor of Law at The Pennsylvania State University Dickinson School of Law. His research focuses on legal issues relating to the Internet and arising from technological change. His specific interests include information privacy, open licensing models and intellectual property law.
Suggested citation: Clark Asay, The Impact of EU Privacy Regulation in the US, JURIST – Forum, Nov. 9, 2012, http://jurist.org/forum/2012/11/clark-asay-eu-privacy.php
This article was prepared for publication by Michael Kalis, an associate editor for JURIST’s academic commentary service. Please direct any questions or comments to him at email@example.com