In this post, network member Richard Peltz-Steele (UMass) reviews the
state of EU data protection reform, US-EU cooperation on compliance and
enforcement, and the prospects of a successful compromise in a time of
legislative gridlock, government surveillance, and public controversy.
Reflecting on discussions last month in Madrid
in which he took a role, he argues that—despite continued European skepticism
and the difficulties of reconciling regulatory ideals with commercial
realities—solid grounds for optimism remain.
*
* *
For the last couple of years,
the EU has been in the throes of birthing a General Data Protection Regulation
(GDPR). The GPDR will replace the
existing 1995 Data Protection Directive (DPD), which is showing its age in the
struggle to confront problems of global electronic communication. The impending changes were the subject of a
program of the Union Internationale des Avocats (UIA) in Madrid April 17 and 18,
in which I participated. In light of
those discussions, it seems a good moment to review the expected changes and
their implications for the complex relationship between the United States and
European Union in matters of data protection.
I. From DPD to GDPR – A
New Regime for Data Protection
Under EU law, the transition
from a directive (the DPD) to a regulation (the GDPR) is a significant change
in legal form. A directive calls on Member
States to legislate themselves into compliance by enacting compliant national
laws, while a regulation constitutes self-executing Union law. Accordingly, under the DPD, data protection law
has evolved largely in the province of national legislatures, national courts,
and quasi-independent national data protection authorities. But the EU institutions have not been altogether
excluded: for example, the EU Court of Justice (CJEU) has the power to construe
the DPD, and the court has decided questions referred from Member States—notably
including last year’s bombshell, Google
Spain, in which the court ordered Google to de-link search results deemed untimely
and unfair to a data subject. And the
DPD’s “Article 29 Working Party,” a body primarily comprising national data
protection officers and officials of the European Commission (EC), has been
influential in harmonizing data protection law across Member States. In sum, the system that has evolved under the
DPD has been a process of cooperation or dialogue between national and Union
institutions, and one in which the national participants have played a leading
role.
The GDPR will bring about
several changes in the existing regime.
As a matter of black-letter law, the new regulation will beef up data
protection requirements and will create a European Data Protection Board for oversight,
replacing the old Working Party. The resulting
shift from a decentralized dialogue toward a more centralized model is subtle,
but substantial and significant enough to trigger hand-wringing among
negotiating states. More broadly,
however, the GDPR will bring about a seismic shift by purporting to apply in
full to entities with no physical presence in Europe that interact with and
gather data about EU citizens—a change with sharp implications for those
engaged in online commerce, although the scope of the GDPR will be limited
neither to electronic communications nor to suppliers of goods and services.
This change in scope of
application will have significant practical implications. To date, Facebook has been hauled into the
CJEU only thanks to its voluntary presence in the Republic of Ireland, while
the long arm of the Spanish Data Protection Authority was frustrated in trying
to reach “through” Google’s Spanish subsidiary to the operations of the U.S.
parent entity in Mountain View, California.
Under the new regime, the limits of the GDPR will be—at least purportedly—subject
only to the practical limits of enforcement.
Needless to say, this expansion
has foreign actors nervous, especially in the U.S. commercial and information
sectors. Corporate actors are fearful of
the financial toll of compliance with the complicated regime of data protection
regulation that Europe has now cultivated for decades. And online information providers, including
journalists and data brokers, worry that EU regulations will impact both their
bottom line and their editorial discretion, bringing Big Brother oversight to
news morgues, web archives, and aggregated data stores.
But American concerns extend
beyond the EU’s grab for broader jurisdictional reach. Indeed, even commercial actors in the United
States that have long purported to comply with EU data protection law are
rightly antsy. Influenced by a complex combination
of factors—including the Iraq war, the global financial crisis, the Snowden
revelations, and fissures within Europe over GDPR specifics—certification of
U.S. actors as authorized recipients of “onward transfers” of European data is in
profound jeopardy. A collapse of data
transfers would threaten nothing less than paralysis of trans-Atlantic commerce.
The DPD currently requires that
data leaving Europe enter only jurisdictions in which the law provides an
“adequate” framework of comparable protection to that available in Europe. The United States accomplished this “adequacy”
by way of the Safe Harbor framework. The
most important element of this framework is the “Safe Harbor Agreement,” although
in practice most approved transfers occur under so-called “binding corporate
rules” or “model contractual clauses”: in the interests of simplicity, I gloss
over the details here. The important
point is that no onlooker seriously thought that the Safe Harbor framework was truly
“adequate” in the sense intended under the DPD; rather, the use of Safe Harbor was
a concession to practical commercial necessity.
Notwithstanding a spate of noteworthy FTC enforcement actions, compliance
with Safe Harbor by U.S. companies remains largely a voluntary matter, heavily
reliant on industry self-policing. Moreover,
the commercial scope of Safe Harbor represents only a slice of the DPD’s overall
breadth. In sum, the smooth operation of
the system has depended so far on regulators’ indulgence. But Europe now seems discontented with that
arrangement, and that discontent is fueling flames of skepticism and
instability in GDPR talks.
II. Next
Steps and the Challenges of the “One Stop Shop”
So where does the GDPR stand
today? Observers have pooh-poohed Europe’s
self-imposed deadline of late 2015 to early 2016, with an effective date two
years on. But at the UIA Madrid program,
an EC leader called for optimism. Bruno
Gencarelli is head of the data protection unit for the EC Directorate-General
of Justice and Consumers, and he has the benefit of an insider’s perspective on
the negotiations. Gencarelli acknowledged
that the two years of effort so far invested in the GDPR seems to have been a
long slog. But, he observed, national
legislation of such comprehensive scope and complex terms, requiring consensus
among a wide array of stakeholders, can take just as long to reach enactment.
Gencarelli reminded the Madrid
gathering that when the DPD was enacted, only one percent of the population of
Europe used the Internet, and Mark Zuckerberg was in primary school. In that light, updating the DPD to create an
instrument that will govern big data for the next 20 years is no small
feat. “You have to make sure that you
get it right,” he said. He anticipated
that a “general approach” will reach the European Council by June 16, allowing Council,
Parliament, and the Commission to engage in “trilogue” conference for final
adoption by year’s end.
A key point of contention within
Europe—where disagreement has resulted in the publication of competing GDPR drafts
(one from the Commission, and a more stringent version from the Parliament)—is the
“one stop shop” (OSS) concept. OSS is an
approach to the resolution of cross-border data protection disputes: its proponents
claim that it will offer a streamlined resolution mechanism leading to a single
and fast supervisory decision with uniform effects. On this view, a successful OSS will reduce
compliance costs by affording actors certainty and consistency. An earlier draft of OSS had provided that the
data protection authority of a company’s “main establishment” would exercise
jurisdiction over cross-border disputes (subject to consultation with officials
from other nations). But that proposal
led to fears of forum shopping (i.e.,
a concern that companies would locate their “main establishment” in countries
with the most lax enforcement). Accordingly,
in March the European Council proposed a more complex compromise that calls on national
data protection authorities to work together and reach agreement, subject to
intervention by the European Data Protection Board to resolve differences.
But this compromise satisfied
neither side. For example, it did little
to address the concern, expressed by some, that citizens’ data protection
rights—protected by Article 8 of the Charter of Fundamental Freedoms and made
legally effective by the Treaty of Lisbon—would be subject to the permissive
whims of a data protection authority in the respondent’s jurisdiction: an
authority that might appear to be, or might in fact be, overly friendly with
domestic industry. By giving data
protection officials in the respondent’s home jurisdiction the lead role in
investigation and resolution, the compromise approach remained vulnerable to
this criticism.
At a more fundamental level, other
critics have challenged the move toward increased harmonization that lies at
the heart of the OSS concept, and indeed characterizes the GDPR as a whole: a
move inspired in part by the perception that some Member States have unfairly courted
business by taking a permissive approach to data protection oversight. In response (and perhaps predictably),
criticism has come both from those demanding more centralization and those who
favor less. Specifically, some decry the
OSS compromise for failing to offer a central European authority (pointing out
that the notion of cooperation among national officials is a fine idea in
principle but unlikely to function smoothly in practice); others raise the
complaint that interlocutory appeals to the European Board will mean only more
bureaucracy, longer proceedings, greater uncertainty, and increasing compliance
costs—precisely the opposite of what the
GDPR and OSS are intended to do.
III. The Place of the United
States in Europe’s New Regime
How the United States will fit
into the GDPR is still anyone’s guess.
Agreement with the United States to continue something like the “adequacy”
determination of the DPD seems inevitable, in light of the practical need to accommodate
commercial realities. But myriad
European objections to U.S. data protection remain unresolved. Even as the FTC looks to beef up its
enforcement efforts with White House backing, its broad authority under the
1914 FTC Act—a constitutional law professor’s poster child for the death of
non-delegation doctrine—is facing challenge in the Third Circuit. The Consumer Privacy Bill of Rights Act seems
ill fated amid political gridlock and concerns over the adequacy of
Congressional legislation to solve the problem.
A resilient sticking point with Europe has been the United States’ lack
of judicial redress for private parties aggrieved by data protection breaches,
and the US model of public enforcement is plainly ill suited to the job.
Hope might reside in the
states. They are innovating rapidly, with
many finding or creating private causes of action under the rubric of consumer
protection law: thus, for example, in the vein of the “right to erasure,” a California
statute effective in January grants minors a limited right to demand that
website operators erase their old posts.
But, on a harmonization kick, Europe is not enchanted with the diversity
of the American regulatory “laboratories of democracy.”
Finally, the giant figure of Ed
Snowden continues to overshadow trans-Atlantic interaction on data protection
and privacy issues. Well beyond the
narrow scope of commercial transactions, the U.S. government seems intransigent
in its defense of the legitimacy of Project PRISM and similar domestic
surveillance: particularly in light of litigation filed in federal court by the
Wikimedia Foundation and others.
Meanwhile on the global stage, the United States is trying to push data
protection back into the frame of trade negotiation, particularly with its more
malleable Pacific partners.
IV. Perspectives from Madrid
At the Madrid UIA event last
month, I was tasked with offering the U.S. perspective on data protection, and I
tried my best to do that. I reported on
the history of privacy and data protection in the United States, current and
proposed laws, and surveys of public opinion.
Maybe just to be a crowd pleaser, I ended on an optimistic note, offering
the hope that a middle road of compromise might yet be discovered. Gencarelli followed me with closing remarks
and picked up on the thread, again evincing insistent optimism.
From his perspective, Gencarelli
said, the Snowden revelations have prompted the U.S. executive to take data
protection seriously for the first time and to work with Congress to find
solutions. He cited as a bellwether
Congressman Jim Sensenbrenner, an architect of the USA PATRIOT Act, who has
introduced bills that would curtail government surveillance. Gencarelli also recited problems with Safe
Harbor—including over-reliance on self-certification, FTC enforcement that
comes too late and only in cases of widespread injury, and ineffectiveness in reining
in unnecessary government surveillance—all of which contribute to the European
perception that U.S. oversight of data protection remains inadequate.
Nevertheless, Gencarelli
described how the path of compromise might be found on several points:
stronger federal compliance
monitoring in the United States;
- EU cooperation with the FTC to effect enforcement;
- free alternative dispute resolution procedures in the United States for foreign complainants;
- improved transparency of corporate privacy policies;
- greater clarity in liability rules, especially the establishment of corporate responsibility for outsourced data processing; and
- public surveillance reined in by norms of necessity and proportionality when national security interests are invoked.
In closing, while acknowledging
impatience for progress on the GDPR in both the European Parliament and the
private sector, Gencarelli said to watch for “interesting developments” in the
weeks to come. We await those
developments with interest.
No comments:
Post a Comment