In this post, network member Richard Peltz-Steele (UMass) reviews the state of EU data protection reform, US-EU cooperation on compliance and enforcement, and the prospects of a successful compromise in a time of legislative gridlock, government surveillance, and public controversy.
Reflecting on discussions last month in Madrid in which he took a role, he argues that—despite continued European skepticism and the difficulties of reconciling regulatory ideals with commercial realities—solid grounds for optimism remain.
* * *
For the last couple of years, the EU has been in the throes of birthing a General Data Protection Regulation (GDPR). The GPDR will replace the existing 1995 Data Protection Directive (DPD), which is showing its age in the struggle to confront problems of global electronic communication. The impending changes were the subject of a program of the Union Internationale des Avocats (UIA) in Madrid April 17 and 18, in which I participated. In light of those discussions, it seems a good moment to review the expected changes and their implications for the complex relationship between the United States and European Union in matters of data protection.
I. From DPD to GDPR – A New Regime for Data Protection
Under EU law, the transition from a directive (the DPD) to a regulation (the GDPR) is a significant change in legal form. A directive calls on Member States to legislate themselves into compliance by enacting compliant national laws, while a regulation constitutes self-executing Union law. Accordingly, under the DPD, data protection law has evolved largely in the province of national legislatures, national courts, and quasi-independent national data protection authorities. But the EU institutions have not been altogether excluded: for example, the EU Court of Justice (CJEU) has the power to construe the DPD, and the court has decided questions referred from Member States—notably including last year’s bombshell, Google Spain, in which the court ordered Google to de-link search results deemed untimely and unfair to a data subject. And the DPD’s “Article 29 Working Party,” a body primarily comprising national data protection officers and officials of the European Commission (EC), has been influential in harmonizing data protection law across Member States. In sum, the system that has evolved under the DPD has been a process of cooperation or dialogue between national and Union institutions, and one in which the national participants have played a leading role.
The GDPR will bring about several changes in the existing regime. As a matter of black-letter law, the new regulation will beef up data protection requirements and will create a European Data Protection Board for oversight, replacing the old Working Party. The resulting shift from a decentralized dialogue toward a more centralized model is subtle, but substantial and significant enough to trigger hand-wringing among negotiating states. More broadly, however, the GDPR will bring about a seismic shift by purporting to apply in full to entities with no physical presence in Europe that interact with and gather data about EU citizens—a change with sharp implications for those engaged in online commerce, although the scope of the GDPR will be limited neither to electronic communications nor to suppliers of goods and services.
This change in scope of application will have significant practical implications. To date, Facebook has been hauled into the CJEU only thanks to its voluntary presence in the Republic of Ireland, while the long arm of the Spanish Data Protection Authority was frustrated in trying to reach “through” Google’s Spanish subsidiary to the operations of the U.S. parent entity in Mountain View, California. Under the new regime, the limits of the GDPR will be—at least purportedly—subject only to the practical limits of enforcement.
Needless to say, this expansion has foreign actors nervous, especially in the U.S. commercial and information sectors. Corporate actors are fearful of the financial toll of compliance with the complicated regime of data protection regulation that Europe has now cultivated for decades. And online information providers, including journalists and data brokers, worry that EU regulations will impact both their bottom line and their editorial discretion, bringing Big Brother oversight to news morgues, web archives, and aggregated data stores.
But American concerns extend beyond the EU’s grab for broader jurisdictional reach. Indeed, even commercial actors in the United States that have long purported to comply with EU data protection law are rightly antsy. Influenced by a complex combination of factors—including the Iraq war, the global financial crisis, the Snowden revelations, and fissures within Europe over GDPR specifics—certification of U.S. actors as authorized recipients of “onward transfers” of European data is in profound jeopardy. A collapse of data transfers would threaten nothing less than paralysis of trans-Atlantic commerce.
The DPD currently requires that data leaving Europe enter only jurisdictions in which the law provides an “adequate” framework of comparable protection to that available in Europe. The United States accomplished this “adequacy” by way of the Safe Harbor framework. The most important element of this framework is the “Safe Harbor Agreement,” although in practice most approved transfers occur under so-called “binding corporate rules” or “model contractual clauses”: in the interests of simplicity, I gloss over the details here. The important point is that no onlooker seriously thought that the Safe Harbor framework was truly “adequate” in the sense intended under the DPD; rather, the use of Safe Harbor was a concession to practical commercial necessity. Notwithstanding a spate of noteworthy FTC enforcement actions, compliance with Safe Harbor by U.S. companies remains largely a voluntary matter, heavily reliant on industry self-policing. Moreover, the commercial scope of Safe Harbor represents only a slice of the DPD’s overall breadth. In sum, the smooth operation of the system has depended so far on regulators’ indulgence. But Europe now seems discontented with that arrangement, and that discontent is fueling flames of skepticism and instability in GDPR talks.
II. Next Steps and the Challenges of the “One Stop Shop”
So where does the GDPR stand today? Observers have pooh-poohed Europe’s self-imposed deadline of late 2015 to early 2016, with an effective date two years on. But at the UIA Madrid program, an EC leader called for optimism. Bruno Gencarelli is head of the data protection unit for the EC Directorate-General of Justice and Consumers, and he has the benefit of an insider’s perspective on the negotiations. Gencarelli acknowledged that the two years of effort so far invested in the GDPR seems to have been a long slog. But, he observed, national legislation of such comprehensive scope and complex terms, requiring consensus among a wide array of stakeholders, can take just as long to reach enactment.
Gencarelli reminded the Madrid gathering that when the DPD was enacted, only one percent of the population of Europe used the Internet, and Mark Zuckerberg was in primary school. In that light, updating the DPD to create an instrument that will govern big data for the next 20 years is no small feat. “You have to make sure that you get it right,” he said. He anticipated that a “general approach” will reach the European Council by June 16, allowing Council, Parliament, and the Commission to engage in “trilogue” conference for final adoption by year’s end.
A key point of contention within Europe—where disagreement has resulted in the publication of competing GDPR drafts (one from the Commission, and a more stringent version from the Parliament)—is the “one stop shop” (OSS) concept. OSS is an approach to the resolution of cross-border data protection disputes: its proponents claim that it will offer a streamlined resolution mechanism leading to a single and fast supervisory decision with uniform effects. On this view, a successful OSS will reduce compliance costs by affording actors certainty and consistency. An earlier draft of OSS had provided that the data protection authority of a company’s “main establishment” would exercise jurisdiction over cross-border disputes (subject to consultation with officials from other nations). But that proposal led to fears of forum shopping (i.e., a concern that companies would locate their “main establishment” in countries with the most lax enforcement). Accordingly, in March the European Council proposed a more complex compromise that calls on national data protection authorities to work together and reach agreement, subject to intervention by the European Data Protection Board to resolve differences.
But this compromise satisfied neither side. For example, it did little to address the concern, expressed by some, that citizens’ data protection rights—protected by Article 8 of the Charter of Fundamental Freedoms and made legally effective by the Treaty of Lisbon—would be subject to the permissive whims of a data protection authority in the respondent’s jurisdiction: an authority that might appear to be, or might in fact be, overly friendly with domestic industry. By giving data protection officials in the respondent’s home jurisdiction the lead role in investigation and resolution, the compromise approach remained vulnerable to this criticism.
At a more fundamental level, other critics have challenged the move toward increased harmonization that lies at the heart of the OSS concept, and indeed characterizes the GDPR as a whole: a move inspired in part by the perception that some Member States have unfairly courted business by taking a permissive approach to data protection oversight. In response (and perhaps predictably), criticism has come both from those demanding more centralization and those who favor less. Specifically, some decry the OSS compromise for failing to offer a central European authority (pointing out that the notion of cooperation among national officials is a fine idea in principle but unlikely to function smoothly in practice); others raise the complaint that interlocutory appeals to the European Board will mean only more bureaucracy, longer proceedings, greater uncertainty, and increasing compliance costs—precisely the opposite of what the GDPR and OSS are intended to do.
III. The Place of the United States in Europe’s New Regime
How the United States will fit into the GDPR is still anyone’s guess. Agreement with the United States to continue something like the “adequacy” determination of the DPD seems inevitable, in light of the practical need to accommodate commercial realities. But myriad European objections to U.S. data protection remain unresolved. Even as the FTC looks to beef up its enforcement efforts with White House backing, its broad authority under the 1914 FTC Act—a constitutional law professor’s poster child for the death of non-delegation doctrine—is facing challenge in the Third Circuit. The Consumer Privacy Bill of Rights Act seems ill fated amid political gridlock and concerns over the adequacy of Congressional legislation to solve the problem. A resilient sticking point with Europe has been the United States’ lack of judicial redress for private parties aggrieved by data protection breaches, and the US model of public enforcement is plainly ill suited to the job.
Hope might reside in the states. They are innovating rapidly, with many finding or creating private causes of action under the rubric of consumer protection law: thus, for example, in the vein of the “right to erasure,” a California statute effective in January grants minors a limited right to demand that website operators erase their old posts. But, on a harmonization kick, Europe is not enchanted with the diversity of the American regulatory “laboratories of democracy.”
Finally, the giant figure of Ed Snowden continues to overshadow trans-Atlantic interaction on data protection and privacy issues. Well beyond the narrow scope of commercial transactions, the U.S. government seems intransigent in its defense of the legitimacy of Project PRISM and similar domestic surveillance: particularly in light of litigation filed in federal court by the Wikimedia Foundation and others. Meanwhile on the global stage, the United States is trying to push data protection back into the frame of trade negotiation, particularly with its more malleable Pacific partners.
IV. Perspectives from Madrid
At the Madrid UIA event last month, I was tasked with offering the U.S. perspective on data protection, and I tried my best to do that. I reported on the history of privacy and data protection in the United States, current and proposed laws, and surveys of public opinion. Maybe just to be a crowd pleaser, I ended on an optimistic note, offering the hope that a middle road of compromise might yet be discovered. Gencarelli followed me with closing remarks and picked up on the thread, again evincing insistent optimism.
From his perspective, Gencarelli said, the Snowden revelations have prompted the U.S. executive to take data protection seriously for the first time and to work with Congress to find solutions. He cited as a bellwether Congressman Jim Sensenbrenner, an architect of the USA PATRIOT Act, who has introduced bills that would curtail government surveillance. Gencarelli also recited problems with Safe Harbor—including over-reliance on self-certification, FTC enforcement that comes too late and only in cases of widespread injury, and ineffectiveness in reining in unnecessary government surveillance—all of which contribute to the European perception that U.S. oversight of data protection remains inadequate.
Nevertheless, Gencarelli described how the path of compromise might be found on several points:
stronger federal compliance monitoring in the United States;
- EU cooperation with the FTC to effect enforcement;
- free alternative dispute resolution procedures in the United States for foreign complainants;
- improved transparency of corporate privacy policies;
- greater clarity in liability rules, especially the establishment of corporate responsibility for outsourced data processing; and
- public surveillance reined in by norms of necessity and proportionality when national security interests are invoked.
In closing, while acknowledging impatience for progress on the GDPR in both the European Parliament and the private sector, Gencarelli said to watch for “interesting developments” in the weeks to come. We await those developments with interest.