News - Fresh Data Archive Article

Return to Fresh Data Blog
Return to Fresh Data Archive

Data Privacy Series #2: Broadening Reach of Proposed EU Regulations

Date: June, 2013 --

We here continue our series on the European Data Protection Regulation currently under debate in the European Parliament (Be Sure to also read Data Privacy Series #1). In this edition, we focus on the threatened reach of the law. In some respects this reach would seem to make great sense, but if adopted it would lead to serious tension between Europe and numerous trading partners, especially the United States. Potentially, the legal exposure of US companies acting fully within the bounds of good practice and US law could be significant. Consequently, US companies may have new compliance responsibilities and costs to examine. 

            Under the current Data Protection Directive, adopted in 1995, the company charged with a violation of the Directive, as implemented in any of the European countries, must have some form of actual presence in the Union. The Directive permitted the application of a Member State’s law even to a company not established on Community territory, if it made “use of equipment, automated or otherwise, situated on the territory” of the said Member.

            What “use of equipment” would be sufficient to expose a foreign company to the jurisdiction and potential legal exposure of any given country has not been decisively determined, despite the efforts of scholars, lawyers and government officials. The arguments have been many, and heated, on subjects like whether the US companies sending email marketing messages into Europe which happen to pass through servers in Europe is sufficient grounds for finding jurisdiction. 

There are two main, and many subordinate, reasons why US companies without offices in Europe were not receiving nasty letters from European privacy officials. First, the authorities in Europe had plenty of violators in easy reach to occupy themselves with, and to the extent their offices were supported by the fines they could levy and collect (as in Spain), there was no incentive. Second, the cost of chasing up defendants in foreign lands is extremely expensive and the outcome uncertain, especially in the case of laws which the other country finds to be “punitive”. The US FTC has enough to enforce without taking on additional burdens from Europe, especially since the US does not consider the challenged activity undesirable, let alone illegal. And, of course, enforcement of the Directive, in fact even its interpretation, was scattered about through the Member States. 

This situation could, in principle, change under the proposed law, the General Data Protection Regulation. The draft states in part…

“2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

(a) the offering of goods or services to such data subjects in the Union; or

(b) the monitoring of their behavior.”

            Note that there is no reference to “means” located in Europe. If a foreign company with no business or property in Europe possesses and uses personal information of a European person to make a commercial offer or monitor his behavior (think on-line data gathering in order to categorize and target market), the new Regulation applies to it.

            To solve the problem of how to get jurisdiction over a US company, the current Regulation draft requires companies described as above to appoint a representative in the EU unless the company (i) has fewer than 250 employees , or (ii) is “offering only occasionally goods or services to data subjects residing in the Union.” Here is yet another expense of selling into Europe, although it remains to be seen how much compliance there will be with this requirement. Sellers of “digital goods” into Europe are supposed to collect and remit VAT. As they say in New York, “You bet, buddy.”

So, it would appear that the drafters believe that US internet companies will ignore the Regulation, as they are alleged to have done with the Directive, while all the while enjoying the significant commercial benefits in the market. Whether this proves true or not is in any case irrelevant, but given the fact that most US companies endeavor to respect the requirements and rules of the countries to which they send offers, it’s doubtful such enjoyment has been significant. 

The reaction of the US government, and US companies, has been swift and determined. Generally, the argument asserts this to be an unwarranted extension of the jurisdiction of the law and the courts beyond Europe’s borders. Traditionally, the reach of the law was equal to the “reach of the sovereign’s power”. In a world where borders were sacrosanct and most crimes and civil damage claims were domestic disputes, both in legal theory and physical reality, this made sense. 

However, an international consensus has been reached about the serious nature of many serious crimes, the desirability of mutual recognition of the crime and the delivery of accused across borders for trial and punishment. In short, the international community has developed a system for extending the reach of a neighbor’s authority as well as a system to arrest and transfer suspects between countries. 

But this still is difficult and time-consuming, often requiring diplomatic intervention, and these instances involve major financial crimes, theft, genocide, homicide and the like.  They don’t involve the use of data to send a letter or email to a prospect who didn’t want it. It involved serious crimes that hurt people and nations.  

We should note one more point. After adoption, the law and its interpretation, at least in principle, will be uniform in Europe and effective two years after adoption. 

            Should the Data Protection Commissioners of three or four Member States allege a serious misdeed by a foreign company, their colleagues would be very likely to pick up the investigation. The potential for a public relations debacle would be greater than ever and the legal and public relations expense of defending the organization at a distance would be very high. 

            The European Parliament is now discussing the proposed Regulation in light of over 3000 amendments put forward by representatives. Its target is to complete work and adopt the legislation in the first half of 2014. Time enough to work with Data Services and your legal adviser to assure that your work with data from European residents will be compliant.