European data privacy laws, already far more restrictive than those in the United States, are about to get stricter and will apply to more U.S. companies than they currently do.  


The EU is in the process of developing a new General Data Protection Regulation, a single Europe-wide set of data privacy rules currently working its way through the EU legislature. The regulation, which was expected to be adopted next year and take effect in 2016, may be put into effect much sooner.  


That's because European lawmakers are concerned about the collection of personal data by U.S. government agencies, including the U.S. National Security Agency. European Members of Parliament condemned the possible wire tapping of EU citizens, alleged in revelations brought to light by the NSA leaker Edward Snowden, and said the reports will strengthen the conviction of policymakers who believe that EU citizens can't trust the U.S. legal system to protect their privacy. "Our allies treat us not as friends but as suspects," Sophie in't Veld, the Dutch vice chair of the European Parliament's Civil Liberties, Justice, and Home Affairs committee said in a statement. “EU citizens must be guaranteed protection under our own EU laws.”


The GDPR will overhaul the current Data Protection Directive, which is almost 20 years old. Among its strict provisions are plans to require explicit consent from users for data collected and notification of how it will be used, breach notification to authorities within 24 hours, the right for users to have their data deleted, requirements that data protection is designed into the development of business processes for products and services, and that privacy settings are set at a high level by default. Violations of the rules could come with severe penalties as high as 2 percent of global revenues for the worst offenses.


For U.S. companies the toughest aspect of the new data privacy regime will be the extent to which it applies to them. The law covers all data subjects (customers and users) who are based in the EU, so the law applies to organizations based outside the European Union if they process personal data of EU residents. Lawyers say many U.S. businesses have been slow to think about how the regulation might impact them and that many U.S. companies don't understand the affect of Europe's existing data laws.


“To many U.S. companies, the EU laws often remain an anathema and their instinctive reaction is to comply with U.S. government and court demands first and worry about the EU data privacy laws later,” says Toby Duthie, a data protection expert at consulting firm Forensic Risk Alliance. “This is changing, but slowly.”


Do Current Laws Apply?


U.S. companies often assume, wrongly, that Europe's data laws don't affect them because they don't have a legal entity in the EU, says Jonathan Bartley of law firm Manches. He says the directive is clear about whether a non-EU business is caught in its net or not—at least in principle. It applies to any company that has an “establishment” in an EU member state and “processes personal data in the context of that establishment.”


The Directive also applies to a company that uses “equipment,” or some other means of processing personal data, that is situated in an EU member state, unless the equipment is used solely for the transit of data through the EU. Principles aside, there's a lot of uncertainty about what the words  "establishment" and “equipment” mean in practice. “Data protection regulators in the EU tend to apply EU law as broadly as possible in order to seek maximum protection for EU citizens,” says Wim Nauwelaerts, partner at law firm Hunton & Williams.


A subsidiary in an EU country would be an establishment, but so are branches, offices, and any other "regular practice." On the equipment point, a company without an establishment in the EU can easily find itself under the Directive. “Many U.S. consumer companies, including online retailers, social networks, and geo-location service providers, will use cookies, JavaScript banners, or other technologies to collect personal data on EU consumers, potentially triggering the application of the directive,” says Bartley. And the directive takes an "all or nothing" approach, he adds. If any of it applies, it all does.



??“To many U.S. companies and their U.S. counsel, the EU laws often remain an anathema, and their instinctive reaction is to comply with U.S. government and court demands first and worry about the EU data privacy laws later.”



???—Toby Duthie,

??Data Protection Expert,

??Forensic Risk Alliance


There's a further layer of complexity. The Directive sets a framework, but each EU member state has to implement it via its national laws. Legislators often tweak the measures along the way. “What can be particularly complex is determining which member state's laws applies to a U.S. company's EU data processing, particularly if they have multiple subsidiaries or offices in various EU member states.  In some cases, more than one member state's laws may apply,” says Bartley.


The draft regulation, when it takes effect, should help companies by creating a more consistent approach across Europe. But it also changes the territorial terms of the EU's data laws in a way that will bring many U.S. companies under their scope for the first time, and with stiffer penalties and tougher rules.


Under the current draft, it would catch companies that process personal data related to the offering of goods or services to people in the EU or that “monitor” their behavior. The fact that they might not be established in the EU wouldn't get them off the hook anymore. “This would be a significant extension of EU law and has raised concerns by many in the international business community,” says Doshi.


“The current emphasis on “presence” in the EU, whether through people or equipment, will be supplemented by a focus on the targeting of EU individuals, and will apply to many U.S. online retailers and service providers,” says Bartley. 


Spy-Driven Enforcement?




Below, the U.S. Department of State explains the five myths regarding privacy and law enforcement personal information in the European Union and the United States.

Myth 1: The United States Cares Less About Privacy Than the European Union.

Reality: The United States was founded on—and its modern-day laws, regulations, and practices reflect—a core belief in the importance of protecting citizens from government intrusion. Our most important legal document—our Constitution—set forth, more than two hundred years ago, a Bill of Rights that provided protection from unreasonable

searches and seizures, and that continues to protect privacy today, including the privacy of electronic communications.

The United States and the European Union are united in our common values regarding the fundamental importance of privacy protections and our deeply rooted commitment to continue to safeguard these values in the digital age.

Myth 2: The European Union Does a Better Job of Protecting Data From Law Enforcement Access Than the United States.

Reality: Privacy protections limiting U.S. law enforcement access to electronic communications, a key area of modern data privacy concern, are among the highest in the world. They provide protections that are at least equivalent to—and often superior to—those provided by the laws and practices in many EU Member States.

Myth 3: U.S. Law Enforcement Authorities Are Less Protective of the Privacy Interests of Foreign Nationals Than of U.S. Citizens.

Reality: In the key area of law enforcement acquisition of electronic communications, the stringent U.S. statutes

protecting the privacy of email and voice communications apply equally to foreign nationals and U.S. citizens.

Moreover, the United States does not discriminate with regard to judicial redress to obtain access to personal data collected for criminal investigations, and provides opportunities for any person, regardless of citizenship, to correct such data if it is believed to be inaccurate, as explained below.

Myth 4: The Patriot Act Gives the U.S. Government Carte Blanche to Access Private Data Stored in the “Cloud” or Elsewhere.

Reality: The Patriot Act continues to be the subject of serious misinterpretation and mischaracterization.While

portions of the Act updated existing investigative tools, the Patriot Act did not eliminate the pre-existing, highly protective restrictions on U.S. law enforcement access to electronic communications information in criminal investigations—restrictions that are, as noted above, no less stringent than those found within the EU.

Myth 5: The Advent of “Cloud Computing” Changes Everything.

Reality: Even before the “cloud” became a popular concept, data was stored remotely and U.S. laws anticipated the need to protect such data. As a result, U.S. law has carefully regulated law enforcement requests for remotely stored data and other records since long before even the Internet—for this is an issue that predates both the Internet and cloud computing.

Source: U.S. Department of State. =">

The national data protection regulators that would enforce the new laws have doubts too. Britain's data regulator said recently, “I see real problems ahead with the practical delivery of a regulation that is still so detailed and specific as to the processes DPAs shall undertake in almost all circumstances.”

There is also the issue of enforcement. Whether member states will give their data regulators enough budget to bring such cases remains to be seen, but the Snowden affair, says lawyers, could provide the impetus to pursue U.S. companies more vigorously. “Typically, it's politically driven— a specific government decides that enforcement is a priority,” says Duthie. Based on the spying anger in Paris and Berlin, “a significant uptick in enforcement of these laws is more than likely,” he believes.


Richard Nicholas, a technology expert at lawyers Browne Jacobson, is not so sure, however. He expects to see plenty of political posturing on privacy, but doesn't think EU policymakers will want to toughen the regulation just as they are negotiating a new free trade deal with the United States.


“There's no doubt the recent data snooping row has certainly raised tensions,” says Doshi. “But I don't believe that in the long run it will affect the regulation. The substantive issue will remain the international business community's concern about its territorial extent, and I would expect to see continued heavy lobbying by international business on this point.”


The US' diplomatic Mission to the EU—effectively its European embassy—has already moved to defend the country's record on data protection. “The transatlantic privacy discussion is too often based on myths about the U.S. legal system—myths that obscure our fundamental commitment to privacy and the extensive legal protections we provide to data,” it said in a position statement. It claims U.S. law offers protection that is as good as or even better than the EU framework.

But it has a lot of convincing to do. “There is a massive gulf between the robust EU data protection environment versus that in the United States, where there is a unique and striking absence of one,” says Duthie.  "The EU member states already have strict data protection laws in place, and these are likely to become stricter given the recent U.S. spying claims.”