During a September of 2014 Intellectual Property Law Conference in Duesseldorf, Germany, Birgit Sippel, a member of the European Parliament informed the audience that the Parliament overwhelmingly supported far greater restrictions on collector and processors of personal data than currently provided and regardless of where they were situated. Ms. Sippel went on to state that the Parliament would swiftly adopt a 2012 proposal to establish an EU wide regulation, bolstering the rights of EU data holders and creating data protection agencies authorized to handle complaints against data collectors or processors.
At that time, I commented in a blog that U.S. firms doing business with EU customers in which they collect, use or process personal data could not expect that their U.S. data processing practices could continue in the EU without specific attention to the EC Directive and related data protection rules. Several months prior, in May of 2014, the European Court of Justice (ECJ) had held in a case involving a Spanish citizen and Google, that not only did EU rules apply to data collectors which sell advertising space in the EU, regardless of where the server was located, but the data holder has the right to request removal of links with personal information under specific circumstances and require the collector to comply. Google lost the case, and the so-called “right to be forgotten” was incorporated into the EU data protection rules that were adopted in December of 2016, largely in line with the Ms. Sippel’s position.
After the Google ruling, an Austrian citizen filed a complaint with the Irish Data Protection Commissioner against Facebook, which is incorporated in Ireland, challenging Facebook’s transfer of his personal data to the U.S. on the grounds of inadequate protection in the U.S. The complainant’s appeal in Ireland was stayed until the ECJ ruled, with the Court finding that the then-applicable decision of the EU Commission on adequacy with regard to the U.S. data protection standards was invalid. This Court decision from October of 2015 thus upended the existing framework permitting U.S. processors to transfer EU data holder information to U.S. servers.
The EU Commission returned to the negotiating table with its U.S. counterparts to address the Court’s concerns with respect to U.S. companies’ data practices, and in August of 2016, a new bilateral agreement, the EU-U.S. Privacy Shield framework, came into effect, replacing its predecessor Safe Harbor framework.
Then, at the end of 2016, the EU adopted the General Data Protection Regulation or so called “GDPR” (the “Regulation”), which replaces the current EU Directive 95/46 on data protection, and is to be fully implemented by the EU Member States by May of 2018.
What the Regulation protects
The Regulation protects the use of personal data of individuals by data processors which collect, use, or process such data in any manner for commercial purposes.While the EU data regulatory framework is far more comprehensive than the Regulation and includes additional laws related to health care data, law-enforcement,institutional use and other areas, the Regulation and the accompanying EU-US Privacy Shield framework represent the core data protection rules which affect U.S. businesses.
The Regulation covers personally identifiable data of any data holder with an address in any of the 28 EU countries, the EEA countries of Norway, Iceland, and Liechtenstein, and Switzerland, and accords rights and safeguards to them, regardless of where the data collector or processor is located.
Under the Regulation, the data holder is the owner of his or her data. The holder is entitled at all times to -and must consent to- third party use of his or her data. The holder may revoke his consent to use or may require erasure or removal of data to which the holder previously agreed. As a result, data collectors must ensure that the data holder:
- has one or more means or giving consent to the processor’s use of the holder’s data in a clear, affirmative way. (opt in, not opt out);
- is able to request access to the holder’s data, and access must be made easy and available to the holder at reasonable intervals;
- may object to the continued use of his or her data, request that it be rectified or have it erased or removed, even if the data holder previously agreed to use.
How data holders’ rights are enforced
The Regulation institutes simplified administrative and judicial remedies for complaints and their resolution. The data holder may submit complaints to a single supervisory authority in each Member State or to one of several agencies in the United States in the case of complaints against a U.S. data processor.
All data processors which process information of EU data holders are required to designate a representative to act on behalf of the processor and with regard to the Member State’s supervisory authority, to cooperate with that authority to ensure its compliance with the Regulation, and in the event of a breach, to be subject to enforcement proceedings. U.S. controllers or processors without an establishment or presence in the EU must also designate a representative to act on behalf of the processor with respect to a Member State’s supervisory authority, and in the event of any breach of the Regulation’s rights to data holders, expect that complaints will be processed by the authority. A data holder is also entitled to judicial remedies against an administrative ruling of the authority or in the event the authority fails to carry out its duty to process a complaint in accordance with the Regulation’s dictates.
The data holder’s remedies cover “material or non-material damage”, which occurs from a processor’s proven infringement of the holder’s rights, and in either case, the holder is entitled to compensation.
The EU-U.S. Privacy Shield and U.S. Processors
Under the predecessor directive to the Regulation, the EU Commission was authorized to decide on the adequacy of legal protections in countries outside of the EU, including the U.S., prior to permitting transfers of personal data of EU data holders outside of the EU for processing. Although the Commission had instituted the Safe Harbor framework, in the wake of additional case law (see Schrems Decision), it was compelled to reform the framework, which in turn lead to the Privacy Shield and a system of certification to ensure ongoing compliance.
Under the certification system, U.S. processor companies commit to the U.S. Privacy Shield principles and voluntarily apply for certification through the Department of Commerce, FTC or DoT, depending upon the authority responsible for the particular industry in which the processor operates. In exchange for this certification, processors are permitted to transfer or continue transferring data of EU holders outside of the EU for processing. Certification is subject to annual review and renewal by the agencies involved and to these agencies’ enforcement powers. EU data holders are able to submit complaints to the data protection authority in the holder’s Member State of residence or to the U.S. agency concerned for handling. If need be, resolution through alternative dispute resolution, such as arbitration, is further provided.
As of this September, a significant number of large U.S. data collectors and processors have certified with the Department of Commerce. Moreover, the Privacy Shield framework is subject to ongoing review, monitoring and enforcement by the EU Commission, and be updated or changed to address new issues as they arise. Thus, it is not a one-time compliance issue, but an ongoing one with the prospect of increased supervision or restriction.
Take Aways for Data Holders and Processors
Well before 2014, European laws and attitudes towards the collection and use of personal data have been more restrictive than in the U.S. The Regulation is built upon decades of precedent and represents the next level in ensuring stricter standards and uniform application of the law’s provisions to all EU and EEA countries, plus Switzerland.
The EU Data Holder Wields the Power
Most U.S. data processors have based their operation on the premise that personal data made available to the processor is for use at the service provider’s discretion, and that once given, the processor has few restraints other than to protect again hacking or other security breaches that may affect specific transactions such as credit card processing, credit reporting which involve financially sensitive data. Once disclosed to the processor, the data holder is not given control over current or future use, nor the means to take specific affirmative action to restrict or correct the data disclosed. A very different model applies in the EU. The European personal data holder is the owner of his or her data and is entitled to affirmatively consent or “opt in” to specific uses by the data processor. At any time, the data holder may revoke, amend or request removal of data, and the processor must comply. Noncompliance has the consequences of answering to a data protection agency and potential liability for compensation.
While to date there may not have been much debate in the U.S. over the rights of the data holder, European thinking on personal data and privacy may prompt more vigorous discussion over the power that large U.S. data processors exercise in the U.S. market, in great part due to the personal data they have collected. One recently dissenting voice is that of University of Southern California’s (USC) communications professor, Jonathan Taplin. In Taplin’s book, “Move Fast, Break Things”, he makes the case that firms such as Google, Facebook, and Amazon have immense influencing power over our daily lives because of the personal data which U.S. holders have unwittingly provided. In turn, such data control has helped to give rise to monopolies each online service now has in search (Google), social media integration and messaging (Facebook), and books and other items (Amazon).
European influence on Data Operations in America?
Historically U.S. firms and American institutions have played a major role in influencing commercial practices, policy and culture well beyond U.S. borders. Under the Privacy Shield, the EU Commission decides what data can be collected, used and processed with regard to EU data holders and whether the policies and practices in the U.S. are adequate to permit data transfer to the U.S. As the data protection rules are subject to ongoing review and will evolve as cases are tried and complaints heard, U.S. processors can expect that collection, processing and transfer operations will continue to be monitored and to be subject to higher standards and restrictions. The new normal in EU data collection and processing can be likened to a nonexclusive license granted by the data holder to the processor, which the holder may revoke, amend, or request be entirely removed at any time, rather than a one-time transaction where the holder makes the disclosures to the processor and the processor is free to use the data as it sees fit.
To the extent a data collector or processor does not provide mechanisms which ensure that the data holder’s rights are ensured and provide the measures to enforce them, the processor’s business model, means of operation or management practices will need to be adapted to do so. This is very likely to result in additional costs to institute affirmative consent or closer interaction mechanisms with data holders and to accommodate requests to rectify or remove data. Indeed, a recent PwC Survey found that among large American processors, the most frequently implemented compliance measures included certification under the Privacy Shield and instituting binding corporate rules, at an investment cost of more than $1 million.
If these compliance mechanisms are put in place for EU data holders, why not offer such protections to all data holders, including those in the U.S.? Even if data processors are not considering this from the standpoint of simplifying commercial operations, it seems that U.S. data holders ought to be asking this question for themselves.
What the future may bring
U.S. data holders may presume that the ease and convenience in the services which data processors provide is not only worth the data holder’s consent to wholesale use of the holder’s personal data, but that this bargain initially struck with any processor is not open for discussion. Europe, in contrast, acknowledges the data holder’s rights to value and control personal data, regardless of convenience of service, and is compelling U.S. companies to adapt their current business models and systems to comply with more comprehensive levels of data protection required by the Regulation.
The debate in America on data security has been sparked by security breaches at Yahoo, Equifax, and with regard to Uber’s recent announcement of a hacking of its site that has only recently come to light. However, it is the EU data protection authorities that are taking action to investigate Uber’s breach. The ride share service’s breach is now subject to an investigation by the Dutch data protection authority under Holland’s rules which are quite stringent, the Netherlands being the site of Uber’s European operations. Austria and Poland are launching separate investigations of the potential breach, and the U.K. and Italy may join. This has prompted the EU to consider launching a EU probe. Such an EU investigation would not, however, negate the imposition of sanctions at the Member State level at least until the Regulation takes effective next May, and Holland’s maximum fines are high, up to 820,000 Euro.
U.S. data holders’ ire over hacking and companies maintaining secrecy about breaches has not yet lead to a vigorous debate as to who is in control of personal data and what individual rights and remedies a data holder has. The Regulation and Privacy Shield should prompt a far deeper reexamination of how we view our personal data and what we require of the businesses making use of it. Do we want the rights to erase, remove, or change the data we give, and to have links removed so as to “be forgotten”? What should be the consequences to processors if U.S. data holders’ rights are breached or adversely affected? It may be time for a simplified process to file complaints, and seek redress administratively or judicially without the costs outweighing the benefits. And if, as with Uber, a large number of customers are affected, why shouldn’t sanctions or fines apply? We’ve imposed them for antitrust violations and intellectual property infringement. Why wouldn’t we consider them for egregious breaches of personal data?
Leslie Williams, partner Wilson Keadjian Browndorf LLP
© 2017 Leslie Williams
This article is current as of December 4, 2017
 Judgment of the Court (Grand Chamber), 13 May 2014. Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González. ECLI:EU:C:2014:317.
 Judgment of the Court of 6 October 2015 Maximillian Schrems v Data Protection Commissioner Request for Preliminary Ruling from High Court Ireland; C-362/14 ECLI: EU:C 2015.650 (hereafter “Schrems Decision”).
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88). The Regulation replaces its predecessor Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA.
 Commission Implementing Decision (EU) 2016/1250 of July 12 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on adequacy of protection provided by EU-US Privacy Shield (C 2016 4176; O J L 207, 1.8.2016 p 1-112).
 Move Fast and Break Things: How Facebook, Google, and Amazon Cornered Culture and Undermined Democracy, Taplin, Jonathan, MacMillian 2017.
 “GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey”, PwC. 23 January 2017, www.pwc.com/us/en/press-releases/2017/pwc-gdpr-compliance-press-release.
 “EU considers investigation into Uber Hack”, Financial Times, 23 November 2017, www.ft.com/content/db433c83-7b7e-3d2f-9a60-e89355640bf7.