Google is forced to wipe a Spanish citizen's past financial troubles from its records. The Belgian Privacy Commission tells Facebook it must "bend or break" to abide by the country's privacy laws. A plaintiff presses privacy cases against Facebook in both Austrian and European courts.
In each instance, national privacy laws collide with the international nature of the Internet, and with American business expectations. Cross-border issues of the online world are not new, of course: the European Data Protection Directive at the center of many such cases was enacted in 1995, and online jurisdiction cases go back at least as far (the 1996 U.S. vs. Thomas decision affirmed a California bulletin board system (BBS) operator must obey "community standards" for Tennessee subscribers). Yet few cases have cited the European law to prosecute U.S. companies.
Then came Edward Snowden. His 2013 exposé of spying practices revealed the U.S. was secretly collecting protected European data, often via U.S. companies like Facebook. The global community upped the ante in response, with new laws proposed or enacted in countries as diverse as Madagascar, Thailand, and Chile. In Europe, individual countries have used the 1995 law to challenge American practices, and the European Commission plans changes to the law it claims will "strengthen online privacy rights and boost Europe's digital economy."
"What has changed over the past few years is that this issue has become much more political" said Omer Tene, vice president of Research and Education for the International Association of Privacy Professionals. "European politicians started presenting it as a competitive difference between U.S. and European industry. In their presentation of the world, if you store or provide your data to U.S. companies, U.S. national security authorities will put their hands on it, whereas if you work with Europeans, they won't." However, he said, "that's far from the reality, because European national security authorities have powers that are not wholly different. In many cases they have laws that are even stronger, and often with less transparency."
Data transfer is a major issue at the core of the dispute. The European Data Protection Directive says, among other things, that personal data can only be transferred in non-restricted form to 10 countries outside the European Union (EU) whose laws provide "adequate protection." The list currently includes Argentina, Switzerland, Israel, New Zealand, and Uruguay, as well as five tiny countries each with populations under 100,000 (Andorra, Guernsey, the Isle of Man, the Faroe Islands, and Jersey). Canada and Australia are additionally certified, with limitations.
The U.S. uniquely benefitted from a "safe harbor" provision that allowed domestic companies to self-certify that they comply with certain principles relating to: notice (when personal information is collected); the choice to opt out of such collection, and access to data collected. The safe harbor law further required such data to be kept secure; to be used only for a specified purpose; and to be kept from being recklessly transferred to third parties. Finally, U.S. companies in the safe harbor program had to implement ways for Europeans to enforce their rights under the provision.
That exception was struck down by the Court of Justice of the European Union (CJEU) as a result of a two-year-long case filed by Max Schrems, a doctoral law student in Austria who prosecuted Facebook in Austrian and European courts. In the lead-up to the Court's decision, Advocate General Yves Bot cited Snowden, as "the law and practices of the United States offer no real protection against surveillance by the United States of the data transferred to that country.... The surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance." Schrems also linked the CJEU's decision to U.S. spying, writing that "The judgment makes it clear that U.S. businesses cannot simply aid U.S. espionage efforts in violation of European fundamental rights."
Just as "states' rights" arguments complicate American law, relationships between EU statutes and those of member countries complicate Continental law. Donald Aplin, who covers these issues as managing editor of Privacy & Data Security Law Report at Bloomberg BNA, explained one important distinction: "European Directives like the current Data Protection Directive are things where the European Commission says, 'here, everybody should follow this in the EU.' Then each independent member state has to adopt that Directive into its own national laws. A regulation, on the other hand, is something that is law for the whole EU from the second it's passed." Since 2012, the European Commission has been planning to replace the Data Protection Directive with a new General Data Protection Regulation. With passage possible within the next year, Aplin believes "That regulation will fundamentally change a lot of how the EU enforces privacy."
Individual European countries have their own privacy laws, some of which precede the Directive: The Belgian Privacy Commission referred to a domestic 1992 law when it slammed Facebook in a May 2015 report. Among other things, that 28-page Recommendation particularly called out the company's practice of broadly tracking users throughout the Internet, even those who have deactivated their accounts or opted out of receiving targeted ads. In response, Facebook claimed it is bound only by the national data protection laws of Ireland, where its European operations are based, for all its users in Europe. The Belgian Court of First Instance ruled against Facebook, fining the company 250,000 euros per day that it continues to track non-members. Facebook has said it will appeal the ruling.
The Belgian Court of First Instance ruled against Facebook, fining the company 250,000 euros per day that it continues to track non-members. Facebook has said it will appeal the ruling.
Belgian Privacy Commission President Willem Debeuckelaere challenged Facebook's assertion on two points. "First, Facebook has five million members in Belgium," he said. "It's a small country, with only 12 million inhabitants, so that's around 40% of our population. The Belgian data protection authority is in charge of this particular question, just as the Federal Trade Commission is in the U.S. Second, European legislation states a country can use its proper powers if there is an establishment of the company or organization in your country. That's the case with Facebook Belgium, which is one part of the whole Facebook structure. There are only four or five people working there, but no matter; they're here! This nexus is enough, and is the legal basis for us to go to Belgian courts."
Europe has been the most active region for privacy law so far, but governments around the world have been busy creating and enacting laws, even if enforcement often follows only years later. For example, news items posted to Aplin's publication in a recent one-week period reflect developments in Macau, Hong Kong, South Korea, Germany, and the U.K.
Global law firm DLA Piper's interactive "Data Protection Laws of the World" site labels data protection regulation and enforcement as "moderate" or stronger in the world's most far-flung countries. In particular, data protection in South Korea and Canada stand out as "heavy," while Australia, New Zealand, Argentina, Japan, and Morocco appear as "robust," along with the U.S.
Asia and Latin America are a mixed bag; China is still a big unknown, although the country's January 2014 release of "Measures for the Administration of Online Transactions" may indicate future directions.
Africa has remained comparatively inactive, although that may be changing. The 54 members of the African Union introduced a Convention on Cybersecurity and Data Protection in June 2014, although ratification appears to have stalled. (As of June 2015, however, 18 African nations have "comprehensive privacy laws regulating the collection and use of personal information by the private sector," according to Bloomberg BNA.)
Aplin believes the delay may be a matter of priorities. "There's a lot going on in the EU because Europeans have the luxury of thinking about things like privacy, which is a classic First-World issue," he said. "All the big African countries recognize they probably should be dealing with this issue, but they're also worried about getting the roads and phones to work, and labor law, and environmental issues."
Regardless of economy, former colonies tend to have laws that reflect their heritage, said Aplin. "When you look at Africa, you can see which ones were the French colonies. Côte D'Ivoire is a good example; their data protection is very much based on what the French do."
So what can a company like Facebook do? According to Jim Halpert, partner and chair of the U.S. Data Protection and Privacy Group at DLA Piper, "Being in compliance all over is a fairly Herculean task, given the complexity of requirements around the world. If you're exposed in different countries, you may pick one high-water mark country like Germany and establish German requirements; that will stand you in pretty good stead. There will be other formal filing requirements in countries like South Korea and the United States, so there's still some localization needed."
"There's a lot going on in the EU because Europeans have the luxury of thinking about things like privacy, which is a classic First-World issue."
For Debeuckelaere, the ability to prosecute Facebook in Belgium is a matter of basic rights. "If Facebook's Belgian company should disappear, we could transfer the question to Irish or Dutch or German authorities. Even now, we could go to the Irish courts. But why should we do that?
"The European Convention on Human Rights gives every citizen the possibility to ask a national judge to enforce fundamental rights. One of these is the right to privacy. So why should we go to Ireland or the Netherlands or Germany or California when we can do it here? It's cheaper, it's easier, and it's in our own languages."
Rich, C.: "Privacy Laws in Africa and the Middle East" (et sim.), Bloomberg BNA Privacy and Security Law Report, http://www.mofo.com/people/r/rich-cynthia-j?tabs=publications
Belgian Privacy Commission, "On 13 May the Belgian Privacy Commission adopted a first recommendation of principle on Facebook", http://www.privacycommission.be/en/news/13-may-belgian-privacy-commission-adopted-first-recommendation-principle-facebook (Unofficial English translation, 2015)
Belgian Official Journal, "Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data," http://www.privacycommission.be/sites/privacycommission/files/documents/Privacy_Act_1992.pdf (Unofficial English translation, 2014)
European Commission "Protection of Personal Data" website, http://ec.europa.eu/justice/data-protection/index_en.htm (English version)
European Commission, "Reform of the data protection legal framework in the EU," http://ec.europa.eu/justice/data-protection/reform/index_en.htm
European Commission, "Factsheet on the 'Right to be Forgotten' Ruling (C-131/12)", 3 June 2014, http://ec.europa.eu/justice/newsroom/data-protection/news/140602_en.htm.
U.S. Government (multiple agencies), "Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks," http://www.export.gov/safeharbor/
Schrems, Max "Europe versus Facebook," http://europe-v-facebook.org
DLA Piper, "Data Protection Laws of the World," http://dlapiperdataprotection.com
©2016 ACM 0001-0782/16/02
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from firstname.lastname@example.org or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2016 ACM, Inc.
No entries found