Data Privacy and the New EU Law
The European Union is expected to implement a sweeping new data privacy law starting May 25. The new law, called the General Data Protection Regulation (GDPR), is the first significant regulatory change in 20 years. It will restrict how tech companies collect, store, and use EU residents’ personal data and it will give consumers more control over access to their personal information.
Columbia Law School Professor Anu Bradford, a leading EU and international law expert who has worked in the European Parliament, sheds light on the new regulations and how they might apply to the United States.
What can individuals expect from the new laws, in terms of personal privacy? Will they apply to Americans as well as Europeans?
The GDPR will apply to all companies processing personal data of individuals residing in the EU, regardless of the company’s location or where the data is processed. The GDPR therefore also applies to “data controllers” or “data processors” established in the U.S., as long as they offer goods or services to EU citizens or monitor behavior that takes place within the EU.
The GDPR also bans the transfer of data from the EU to third countries that fail to ensure “an adequate level of protection” of data privacy rights, including the U. S. Most U.S. companies can only transfer data involving European data subjects to the U.S. if they agree to comply with EU standards embedded in the “Privacy Shield”—an agreement negotiated between the EU and the U.S.
The GDPR limits the quantity and purpose for which personal data can be collected, and imposes additional obligations to the entity collecting or processing the data, including the obligation to ensure the integrity, security, and accuracy of the data. Data can also be stored only for a limited period. The GDPR also encompasses the principle of the “right to be forgotten,” which requires search engines, like Google, to uphold individuals’ requests to make certain content, which is no longer “adequate, relevant, or up-to-date” de-linked and no longer searchable on their platform.
Is it true that once the new law goes into effect, any individual located in Europe can ask any company for the data it collects about them—including their own employer?
Yes. An employee can request his or her employer to disclose what personal data the employer collects on the employee and specify the purpose of such data collection as well as whom the data is disclosed to. This includes data such as e-mails, phone call records, or performance reviews relating to the individual. The employer needs to respond to such a request within 30 days and is not allowed to charge a fee to cover the costs of collecting such data. The obligation to disclose this information is also backed by heavy sanctions, including fines of up to 20 million EUR or up to 4 % of the total worldwide annual turnover of the company breaching the GDPR.
Are these new laws too far-reaching or too limiting in regulating the personal privacy of users?
It depends whom you ask. Some privacy advocates claim that the GDPR does not go far enough while many companies worry about the high compliance costs associated with the new law. The U.S. government and many U.S. companies have criticized the EU’s heavy-handed privacy regulation in the past, alleging that it harms business transactions and curtails innovation. However, recently many U.S.-based companies have conceded that the EU privacy norms are the “right” norms. For example, Sheryl Sandberg of Facebook admitted that “Europe was ahead of this.” Similarly, in responding to a question from Sen. Lindsey O. Graham (R-S.C.) during the recent Senate hearing about whether the Europeans had it right in regulating privacy, Mark Zuckerberg said: “I think they get things right.”
Will this force U.S.-based global internet giant like Facebook and Twitter to change their business models?
Absolutely. Many U.S. companies such as Facebook, Google, Apple, Microsoft, and Airbnb have revised their privacy policies to conform to the GDPR, extending the same privacy rights to their customers globally, as the logic behind “the Brussels Effect” would suggest. These companies find it often difficult to follow different privacy standards in different markets and therefore tend to apply the strictest international standards across the board. At times, it is technologically difficult to separate data involving European and non-European citizens. It can also be hard to justify offering better privacy protections for some users than others, further pushing companies towards a single global standard.
Tech giants such as Apple and Microsoft have also emphasized how they incorporate European privacy norms into the design of their products, developing their products with built-in features that conform to the strictest privacy settings by default. This is in line with the GDPR’s requirement regarding “privacy by design.”
What steps is Congress taking to address digital privacy in the U.S.?
While over 120 countries worldwide have aligned their privacy laws closely with those of the EU, the U.S. has been an outlier with its relatively weak and sector-specific privacy regulations.
However, the political moment for tougher privacy laws may be arriving in the U.S. as well. The recent data breach scandal involving Cambridge Analytica releasing data about over 50 million Facebook users without their consent and exploiting the data in a political campaign has changed the tone in privacy discussion also in the U.S. This event may reduce the public trust in internet companies’ self-regulation, potentially catalyzing greater demands to pursue more stringent regulation in the U.S. as well.
# # #
Anu Bradford is the Henry L. Moses Professor of Law and International Organization at Columbia Law School. She is also a Director of the European Legal Studies Center. Her research and teaching focus on international trade law, European Union law, and comparative and international antitrust law.
Posted on May 21, 2018