image2-01-01

The E.U.’s Super-Judicial Privacy Regulation Agency: Establishing an international standard for cyber data privacy

The European Commission is expanding its authority in order to protect citizens’ right to online privacy, but in the process is infringing on other sovereign states’ jurisdiction and is making it harder for technological innovators to operate in the E.U.

In seeking to strengthen its centralized enforcement of user’s data privacy rights, the European Union’s (E.U.) Commission is creating a future data protection regulation agency.1 Skeptics, such as Facebook, fear that the proposed agency’s policy to expand the data privacy “right to be forgotten”—a E.U. basic human right to delete personal data—will impede flourishing innovations online within the E.U.2 The proposed data protection agency may create a super cyber regulator that imposes its higher privacy standards on the world, altering the market for cyber companies who provide services to users in exchange for their data.

The current European privacy regulator, the Article 29 Working Party (Working Party), only delivers non-binding recommendations to the sovereign states that accepted the directive from the Organization of European Cooperation and Development, O.E.C.D.3 The Working Party’s task is to protect the states’ residents’ basic privacy rights.4  While the United States endorsed this directive, it has not implemented the Party’s recommendations within its jurisdiction.5 Thus, the Working Party’s privacy rights enforcement is greatly limited to the states adhering to its recommendations. To correct this weakness, the E.U. is centralizing its power to enforce its residents’ basic human rights to privacy, as each states’ courts have limited powers to enforce their laws on multinational internet companies.

The E.U.’s fundamental state interest to protect privacy rights is much stronger than in the U.S. The E.U….requires all states to broadly protect its citizens’ rights to privacy in their home, family life, and correspondence.
The E.U.’s fundamental state interest to protect privacy rights is much stronger than in the U.S. The E.U. guarantees the fundamental human right to one’s privacy under Article 8 of the European Convention on Human rights, which requires all states to broadly protect its citizens’ rights to privacy in their home, family life, and correspondence.6 In contrast, the U.S. Constitution only grants U.S. citizens a limited right to privacy, which is neither absolute nor extended to residents or denizens.7 However, both should enforce privacy rights on companies overreaching their powers online.

Previously, sovereign states have enforced privacy rights by individually threatening large companies to alter their privacy policies. Recently, Google promised to delete some of its data collected from its Streetview project, after several state regulators in France, the United Kingdom, and the U.S. Federal Trade Commission threatened fines ranging from €25,000 to €130,000.8 Google claimed to adhere to France’s privacy regulations, yet France fined them €150,000 for providing users with only opt-out, rather than opt-in, options for data collection.9 Yet, despite prompting Google to change some of its policies, this enforcement was not entirely successful. The recommendation requested that Google obtain pre-approval for every new privacy policy from the Article 29 Working Party, yet Google declined, requiring regulators to enforce any violation after notifying it of the facts.10 This example shows the limit of sanctioning powers and limited effect of a non-unified regulatory agency and how it has a limited effect on large international organization’s privacy policy implementation.

While these limited sanctions arguably will not force alterations of policies, the drafted General Data Protection Regulation directive provides sanctions equaling 2% of a violating firm’s worldwide revenue.
Germany is now threatening to sue Facebook for violating its Telemedia Privacy Act, yet the sanctions it is threatening only amount to bad press and €20,000 Euros.11 While these limited sanctions arguably will not force alterations of policies, the drafted General Data Protection Regulation directive provides sanctions equaling 2% of a violating firm’s worldwide revenue.12 It also claims jurisdiction over all foreign companies that collect any data on EU residents.13 Thus, the E.U.’s new super-state privacy agency may force international companies to finally confirm their privacy policies before any new innovative service is launched in Europe.

This regulation specifically provides users of free or paying services with the “right to be forgotten” under article 17, and the “right of portability” under article 18, as long as data of E.U. residents is processed.14 As a result, service providers with user data will have to develop and use technology to allow their users to transfer their property interest in data to any format required to exercise their right of portability and to delete all of their data from their services. This regulation will likely increase the costs of innovative service providers and free services like Facebook. Also, each non-EU firm without establishments in the EU will be required to have a specialized EU data-protection officer to mitigate privacy infringement litigation.15

These policies seem to represent an over burdensome regulation on tech innovation. They pose real limitations on innovation and the US’s right to regulate its domestic companies in accordance with its own laws. Previously, each sovereign state has treated invasion of privacy lightly and regionally. Yet now the severe and strict nature of the new regulations may force companies to check their new projects with EU regulators before testing their beta products on users. Thus, EU would have jurisdictional authority to impose its higher cyber standards on the rest of the world.

Perhaps markets will be able to limit their innovation in order to protect the fundamental state interest of privacy, but such efforts may simultaneously infringe on other sovereign states’ sovereign rights. Instead, these international cyber service providers may reduce services to E.U. residents or force residents to pay for their services in the E.U. Still, the E.U. will remain the leading force in protecting user’s privacy rights from international cyber company’s encroachments. The E.U. will either obtain compliance or establish a boycott, with costs passed on to the users with broader data privacy rights, as it defends its resident’s basic human rights of data privacy online.

 


[1] Natasha Lomas, European Parliament draft reports back EC’s data protection reform and strengthen the right to be forgotten (March 9, 2013 at 3:30PM), http://techcrunch.com/2013/01/08/european-parliament-draft-reports-back-ecs-data-protection-reform-reinforcing-the-right-to-be-forgotten/.

[2] Id.

[3] O.E.C.D. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, (March 9, 2013, 3:30PM),  http://www.oecd.org/internet/interneteconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

[4] Id.

[5] Anna Shimanek, Note, Do you Want Milk with those Cookies?: Complying with Safe Harbor Privacy Principles, 26 Iowa J. Corp. L. 455, 462–463 (2001).

[6] European Convention on Human Rights, art. 8, Nov. 4 1950, E.T.S. No. 5; 213 U.N.T.S. 221.

[7] “[T]he Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution.”  Roe v. Wade, 410 U.S. 113, 152 (1973).  “The Court’s decisions recognizing a right of privacy also acknowledge that some state regulation in areas protected by that right is appropriate. As noted above, a State may properly assert important interests in safeguarding health, in maintaining medical standards, and in protecting potential life. . . The privacy right involved, therefore, cannot be said to be absolute.” Id. at 154

[8] Eric Pfanner, Google failed to delete street view data in France, N.Y. Times, July 31, 2012, (March 9, 2013, 3:30 PM), http://www.nytimes.com/2012/08/01/technology/01iht-google01.html?_r=0.

[9] “The officials said, among other things, that Google’s new policy inadequately informs users of how their personal data are used and does not allow users to control how their data are combined across the company’s many services. The company also fails to provide retention periods for user data, as required by EU and French law, they said. . . Falque-Pierrotin noted that in March 2011 the CNIL levied its highest ever fine of €100,000 ($130,459) on Google over its collection of unsecured wireless internet connection data using Street View mapping project vehicles (10 PVLR 479, 3/28/11).” Article 29 Working Party Urges Google To Reconsider Privacy Policies by Year’s End, Bloomberg, October 22, 2012, (March 9, 2013, 3:30 PM), http://www.bna.com/article-29-working-n17179870400/.

[10] Id.

[11] Jo Best, Zuckerberg faces €20,000 fine over Facebook’s anonymous accounts ban, Jan 7, 2013, (March 9, 2013, 3:30 PM), http://www.zdnet.com/zuckerberg-faces-20000-fine-over-facebooks-anonymous-accounts-ban-7000009447/.

[12] “It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for US companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2 % of worldwide turnover.” New Draft European Data Protection Regime, February 2, 2013, (March 9, 2013, 3:30 PM), http://www.mlawgroup.de/news/publications/detail.php?we_objectID=227.

[13]   “The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents.” Id.

[14] “New privacy rights, including data subject’s “right of portability” and the “right to be forgotten”, will be established in the EU. The “right of portability” will allow a transfer of all data from one provider to another upon request, for example transfer of a social media profile or email, whereas the “right to be forgotten” will allow people to wipe the history clean.” Id.

[15] “The EU data protection regulation will also apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents. This may force for example US companies not only to comply with EU law, but also to establish a data protection management, for example by appointing an “European” data protection officer.” Id.