Europe is effectively becoming the internet’s privacy cop, with implications for any company doing business in Europe and many outside Europe. We’ve seen the beginnings of this in the attempted global enforcement of the Right to Be Forgotten (RTBF) through Google.com. Now RTBF is being subsumed under a more sweeping set of rules in the form of the General Data Protection Regulation (GDPR).
RTBF is not being replaced; it’s being strengthened. Call it RTBF 2.0.
Not yet implemented, the GDPR has been in development since 2012 but not received much attention in the US. The GDPR is well intentioned and seeks to provide a uniform and updated privacy framework for all of Europe. However in practice the new rules may prove problematic and highly challenging for US and other non-EU companies.
Depending on your view, this comprehensive overhaul of Europe’s “data protection” laws is either a welcome update or a bureaucratic and legal nightmare in the making. If you’re a privacy advocate you’ll probably cheer the new rules. If you’re a technology company, journalist or publisher, you may be less sanguine. (The recent and related invalidation of the Safe Harbor rules governing data transfer between countries has created tremendous uncertainty in its wake.)
The GDPR is expansive and complex and makes a number of changes to European Commission jurisdiction, company responsibilities, liability and penalties associated with privacy rights and violations in Europe. Some critics have also argued that the new GDPR is a basic threat to free speech because it doesn’t provide sufficient protection to expression in its many forms (and to archived content in particular).
Supporters of the GDPR would of course disagree with these critiques.
Attorney Daphne Keller has written an in-depth discussion of the new rules and what they mean. Many provisions of the GDPR are highly technical — the different obligations and liability for “Data Controllers” vs. “Data Processors” for example. Beyond this, many questions about the practical impact of the GDPR remain uncertain or unexplained at this point.
According to Keller’s blog post the GDPR will extend EU privacy jurisdiction over companies with any connection to Europe, however slight:
The GDPR asserts jurisdiction over entities that offer services to or “monitor” EU users. “Monitoring” seems to be defined broadly enough to include fairly standard web and app customization features, so the law reaches many online companies outside of the EU. In practice, regulators presumably will not prioritize or dedicate limited resources to policing small and distant companies. But the GDPR will be an issue for companies with growing EU user bases and presence in Europe; and regulators can choose to enforce the law against many more entities around the world.
Since the internet is a global marketplace, this jurisdictional expansion gives the GDPR potential global reach and impact. This may mean that de facto Europe will determine data handling and privacy policies for other non-EU markets as a practical matter — in the same way that RTBF-mandated removals from Google.com would have an impact outside of Europe.
Keller illustrates this in her discussion of the tension between content removals and free speech under the new law and its potential impact on non-EU countries:
[P]rocedural details in the GDPR’s removal and review process tilt the playing field in favor of privacy rights, and make users’ free expression rights harder to vindicate. A final problem is that different countries have very different laws balancing free expression against other rights, including privacy or data protection. Content that self-evidently should be removed in Europe may be protected and lawful speech in the US and other countries. Applying EU removal standards to content in those countries creates a free expression issue for Internet speakers and readers there.
On the other side, the European Commission cites numerous consumer benefits under the new rules:
A ‘right to be forgotten’ will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted.
Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed.
Easier access to one’s own data and the right of data portability, i.e. easier transfer of personal data from one service provider to another.
Companies and organizations will have to notify serious data breaches without undue delay, where feasible within 24 hours.
A single set of rules on data protection, valid across the EU.
Companies will only have to deal with a single national data protection authority – in the EU country where they have their main establishment.
Individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country.
EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behavior of citizens.
Increased responsibility and accountability for those processing personal data. Unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed.
National data protection authorities will be strengthened so they can better enforce the EU rules at home.
There will probably be many more discussions of various aspects of the law. The GDPR represents a significant new regulatory framework (or expansion of the current one) that will affect US and non-EU tech companies in myriad ways.
It’s important for those doing business in or with Europe to be aware of the new law and its potential implications. However many of those aren’t entirely clear at this point.
Comments