As Europe’s privacy laws evolve, so must American companies when operating ‘across the pond’

WASHINGTON — In 1998, a Spanish newspaper announced that a man named Mario Costeja González had his home repossessed.

A decade later, González Googled his name and found that the incident came up in search engine results. Incensed, he complained to Google, asking that information related to him be erased because he thought it was no longer relevant.

Google refused and the dispute ended up in court. In 2014, the Court of Justice of the European Union ruled in favor of González.

The ruling may seem like an affront to free speech, but the court’s decision reflected the region’s long-running commitment to privacy protection.

With the global nature of Internet commerce, Google will not be the only American company ensnared by European data protection laws. Many other firms may find themselves – sometimes unwittingly – intruding on European privacy laws, and they are spending more money and effort into coping with this digital clash of cultures.

More than an ocean apart

Citizens in the U.S. and Europe value privacy. But they articulate it differently in legal terms.

Every European citizen has the “right to respect for his private and family life, his home and his correspondence,” according to the 1953 European Convention on Human Rights – and the most significant legislation by the European Union in recent years is a 1995 directive, which outlines core principles its members should observe.

The directive says that governments, institutions and companies should inform citizens of what information is being collected, ensure data is not disclosed to other parties without the individuals’ consent and allow them to access and correct to data about them.

The directive has formed the backbone of many European countries’ national privacy laws protecting citizens against intrusions by government and by companies, said Viktor Mayer-Schönberger, an Internet governance and regulation professor at England’s University of Oxford.

One component of the European Union directive states that personal data can be processed only with unambiguous consent given by the subject, among other requirements.

The EU’s Court of Justice ruled in favor of González last year for precisely this reason: Since individuals must give permission for the search engine to handle their data, the companies have to handle requests that their information be taken down.

Privacy law is articulated very differently on the U.S. side of the Atlantic. It is not explicitly guaranteed in the Constitution and only suggested by the Fourth Amendment’s requirement for a warrant for the government to search a citizen’s home.

“What the U.S. lacks is an omnibus privacy laws that binds not just the public sector but the private sector as well,” said Mayer-Schönberger. “But the U.S. does have a number of sectoral privacy laws that also apply to the private sector, such as in the context of health data.”

In other words, “privacy in relation to private companies is seen as a species of commercial regulation,” said Bill McGeveran, an information law professor at the University of Minnesota.

The implication of this is enormous for companies wishing to collect and process information about their consumers.

“In Europe, you can only do so if the law says you specifically can, but in the U.S. you can collect data about anyone, anytime, unless there’s a law that prohibits it,” said McGeveran.

“Data is a resource in Europe and the U.S. but in Europe, it’s something in the ground and you need to ask permission before you can mine it.”

Why Europe and America differ on privacy issues

People in the U.S. want privacy just as much as people in Europe, Mayer- Schönberger emphasized. But there is no single easy answer for why data protection legislation is more clearly laid out in Europe.

Europe’s tangled history with data privacy could be a reason – the Nazis used personal data to target marginalized communities during the Holocaust, and in the 1980s, privacy advocates in Germany protested against a census in West Germany that asked questions they deemed too invasive.

“As Germany has always been a key power broker in the EU, that spilled over into the European debate,” he said.

Fred Cate, a law professor at Indiana University, also said the economic reliance of the U.S. economy on technology is also an important reason.

“The U.S. is huge on data innovation – privacy is important, but so is economic success,” he said. “There isn’t a European search engine that can compete with Bing and Google, and so fewer European companies are using privacy as a competitive tool.”

What this means for American companies

For American companies, complying with European privacy laws is a complex process because the level of enforcement varies from country to country. McGeveran said that while privacy regulators in England and Ireland tend to be more cooperative, Spain and Germany are tougher on firms, slapping violators with fines.

Firms may have to jump through additional legal hurdles to do something like moving internal company data, such as payroll information, out of Europe to the U.S.

The clashing regulations could put companies in a legal quandary.

Cate cited the example of a company that was required by a U.S. court to produce certain data that the German government prohibited it from obtaining. “You’re stuck between a rock and a hard place,” he said. “Whose law do you choose to violate?”

American companies therefore must plan carefully when operating into Europe, especially with the ever-changing Internet landscape and the privacy concerns it has raised.

“They cannot assume that their structure and business model in the U.S. can be duplicated in Europe without any modifications,” McGeveran warned.

The 2014 European decision about Google highlighted this challenge starkly. Search engines engines have scrambled to cope with the new development in European privacy law.

Google and Yahoo have set up online forms for users to submit removal requests.

To date, Google has approved 286,814 – or 40 percent – of the removal requests they have received, after judging whether the results were outdated, inaccurate, inadequate, excessive or of interest to the public.

Yahoo has set up a similar intake form as well as a task force to figure out how to process the removal requests, said Laura Juanes Micas, a senior legal director of international privacy at the search engine company.

“This situation was about a particular case in Spain and it has been challenging to create general rules for all removal requests from this one case,” she said.

She added that the ruling placed the burden on search engines to figure out how to balance the rights of the individual to privacy and a third party’s right to freely express himselves on the Internet – but this was hard for private companies whose main duty is to make profit and serve its customers.

American search engines are not erasing search results in non-EU web domains for now, meaning that the information would still be viewable in the U.S. version of Google, for instance. However, European regulators are pushing them to apply the ruling for all web domains, said Lucio Scudiero, a privacy legal counsel in Italy and fellow at the non-profit think-tank Italian Institute of Privacy, said.

“I expect this issue to end up in courts on both sides of the pond soon,” he warned.


Comments are closed.