The Tremor, Quake, and Aftershock of EU Privacy Norms
The European Union (EU) increasingly sees itself as the world’s online privacy regulator, asserting its privacy norms beyond its borders with increasing frequency and fervor. Three recent episodes – the tremor, quake, and aftershock of EU privacy norms – exemplify this trend: the European Court of Justice’s “right to be forgotten” decision; the invalidation of the agreement allowing transfers of EU citizens’ data across the Atlantic; and the recent adoption of the EU’s long awaited General Data Protection Regulation.
The full effect of these events on the U.S. economy and legal system has yet to be determined, which actually makes this an appropriate time to raise some questions about a world in which the EU standard could become the global privacy norm. In particular, is the U.S. ready and willing to trade off competing equities, such as freedom of speech and the right to know, against privacy?
The EU’s tremor came in 2014, when the European Court of Justice handed down a landmark decision on the applicability of its data privacy laws to Google’s search engine. The case has already entered into the vernacular as “the right to be forgotten” case. It began when a Spanish man, Mr. Costeja González, approached his local data protection authority to complain that a decades-old government notice of his property’s foreclosure was still available online through a Google search for his name. Although a Spanish newspaper had published the notice pursuant to a Spanish law, the data protection authority concluded that under EU data protection law, as incorporated into Spanish law, Mr. Costeja González’s EU privacy rights had been violated by Google but not by the newspaper.
The European Court of Justice, to which the case was later referred, ruled that the EU’s data protection rules applied to search engines, even those with servers located in California, and that inherent in these rules was a “right to be forgotten,” meaning a right to delink upon request information that could be regarded as “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which it was processed.”
At last count, Google had processed over 1.2 million take-down requests and granted them in over 40 percent of cases. In other words, a lot of information has left the web pursuant to EU privacy laws and it is not clear that this is where the story ends.
Google and the French data protection authority, Commission nationale de l’informatique et des libertés (CNIL), are in a yet-to-be-resolved legal dispute about whether the right to be forgotten extends beyond the EU to the dot-com top-level Google domain. Depending on how this dispute is resolved, the EU could extend its right to be forgotten beyond its borders. As Google explained in court filings challenging the CNIL’s decision, “[t]his is a troubling development that risks serious chilling effects on the web. While the right to be forgotten may now be the law in the EU, it is not the law globally.” Or at least, it is not yet.
So much for the tremor. What about the quake itself? That struck in October 2015, when the European Court of Justice effectively invalidated the EU/U.S. Safe Harbor agreement. This agreement, reached in 2000, permits the transfer of EU citizens’ data to the U.S. under certain conditions. These conditions, in a nutshell, amount to privacy enhancements the EU insisted be bolted onto existing U.S. privacy laws in order for the EU to deem this country “adequate” (their word) with respect to data protection.
The European Court of Justice invalidated this agreement upon concluding (without fact finding and evidence gathering) that the U.S. government engaged in indiscriminate and mass surveillance of EU citizens. Without belaboring the court’s opinion, it is safe to say that it was a 7.8 quake on the Richter scale and a further expansion of the EU’s privacy norms beyond its borders.
Both the U.S. Department of Commerce and the European Commission are struggling mightily to reach a renewed Safe Harbor agreement that meets the European Court of Justice’s exacting standards on the meaning of privacy norms. By all accounts, the negotiating parties have gone back to the drawing board several times to little avail. A January 31 deadline imposed on negotiations by the European data protection authorities, after which they would start chasing down Safe Harbor companies, will likely come and go without a resolution to the Safe Harbor impasse.
Finally, after any quake comes an aftershock. In this instance, the aftershock is the EU’s recent adoption of a General Data Protection Regulation. This regulation will update the EU law under which Mr. Costeja González brought his case in Spain. It is a far-reaching regulation that, significantly, extends the right to be forgotten beyond search engines – and it does so without clear criteria.
Under this new regulation, those entities that control EU citizens’ data must delete or delink online information upon request if the controller is no longer using it for the purpose it was provided, or if an EU citizen withdraws consent and the controller cannot show a legitimate need for the data in order to meet remaining contractual obligations. Given how unclear this language is, the new regulation will likely be subject to myriad interpretations and consequent litigation. It is also possible that it will have significant chilling effects on freedom of expression and the right to know online. This is because a violation of the new law may subject a company on the wrong side of it to fines amounting to 4 percent of global revenues (and that’s not a typo). These fines will provide strong economic incentives for those processing data to err on the side of caution, whether a take-down request is legitimate or not.
Time will tell how far the U.S. and other non-EU jurisdictions will go to bend to EU privacy norms. There are those in the U.S. who would welcome such a development. They see the EU’s activism as a real opportunity to force government surveillance reform and comprehensive privacy legislation in Congress and elsewhere.
Before we go there, however, consideration should be given to the impact EU-style privacy protections will have on competing U.S. norms and values, as well as on U.S. tech companies. After all, freedom of speech was the First Amendment to the U.S. Constitution for a reason. And if the U.S. accedes to increasing EU demands around privacy, what is the limiting principle that would inhibit acceding to Chinese or Turkish demands regarding speech or censorship? These and other questions should be debated by U.S. stakeholders – as hard as that may be for those who are still recovering from the earthquake.