In 1999, Sun Microsystems CEO Scott McNealy shocked a group of reporters and analysts by telling them that consumer privacy issues were a red herring – “you have zero privacy anyway - get over it”. Four years prior to that statement, the European Parliament passed the Data Protection Directive which would become the bedrock of Europe’s information privacy laws. Over the years, common perceptions of transatlantic privacy values have followed a well-worn narrative: European privacy standards are overly stringent and bureaucratic while US privacy laws are lax, laissez-faire and offer minimal protection for individuals. The reality is somewhat more nuanced.
The impending General Data Protection Regulation (the “GDPR”) and the negotiations over the draft ePrivacy Regulation have once again brought into sharp focus the perceived differences between European and US privacy standards. This is being acutely felt in Ireland which is home to some 16 of the top 20 software companies in the world. Post-Brexit, Ireland is also on course to be the only common law country left in the EU.
Common law and civil law traditions have tended to approach privacy from different angles. Europe’s privacy regime is largely a civil law concept. The first modern, comprehensive information privacy law was passed by the Hessian Parliament in Germany in 1970. The two common law jurisdictions in the European Union – the UK and Ireland - did not fully follow suit until the 1995 Data Protection Directive was fully transposed locally in 1998 and 2003 respectively. Countries with common law traditions (including the US, Ireland and the UK) have traditionally tended to focus more on decisional privacy (this posits privacy as a right which individuals can rely on to defend themselves against the actions of the state). Ireland’s privacy regime prior to the adoption of the 1995 Directive was closer to the US right of privacy usually found in the Fourth Amendment of the US Constitution.
European data privacy law focuses on achieving information privacy by the horizontal application of principles-based regulations. The processing of all types of data is regulated in more or less the same way (save for additional protections for certain categories of sensitive personal data etc.). The principles which underpin the GDPR are intended for application across the whole economy – the same provisions which govern processing by public bodies will also govern social media companies and ad-tech agencies. There are advantages and disadvantages to this approach. Framing laws in a technologically neutral fashion can help lawmakers keep ahead of the rapidly changing technological landscape (legislating for the unforeseen consequences of IoT is a good example of this). The drawback is unpredictable interpretation of the law and a likelihood of discouraging innovation. The European privacy tradition is sometimes described as inherently prohibitive – you have to actively seek out a lawful basis for each category of processing.
This contrasts sharply with the US position which has always preferred sector specific privacy rules – for example, the Health Insurance Portability and Accountability Act (to protect health records), the Video Privacy Protection Act (which protects the privacy of video watching), the Family Educational Rights and Privacy Act (which protects student’s education records) and the Children's Online Privacy Protection Act (COPPA) (which protects children’s personal data online). The position is also complicated by state laws. European companies operating in California might be surprised to learn that the collection of certain types of personal information is prohibited in the context of a credit card transaction under the Song-Beverly Credit Card Act 1971.
Enforcement of personal data rights in the EU is generally left to national regulatory authorities who have been established specifically for that purpose (such as the Office of the Irish Data Protection Commissioner). In the US, some of this task has been taken up by a coalition comprised of the FTC, state legislatures and attorneys general. Those suspicious of the perceived looseness of privacy laws in the US would do well to remember that the world’s first data security breach law was enacted by the state of California in 2003. The GDPR will introduce a harmonise breach reporting regime across the EU for the first time.
The GDPR provides for compensation where a breach of the regulation has led to a data subject suffering immaterial or non-pecuniary harm. This is helpful insofar as it harmonises the European position on the issue after the rulings of the English Court of Appeal in Google v Vidal-Hall and the Irish High Court in Collins v FBD Insurance plc. Compensating for immaterial harm in the privacy context has traditionally been a bridge too far for courts in the US (Clapper v Amnesty International).
While the US courts have been traditionally sceptical of immaterial harm, the EU can learn from the way in which consumer privacy rights have been vindicated in class action suits. Article 80 of the GDPR provides that privacy advocacy groups can take actions on behalf of groups of data subjects whose rights have been infringed. This right, combined with the right to recover for immaterial harm, should prove a serious deterrent to companies who might be tempted to skirt around data subject rights.
The GDPR also fixes a notable omission of the 1995 Directive by directly addressing the processing of children’s personal data. It provides that where a child’s consent is required in order to provide them access to an information society service and the child is under the local lawful age of consent, the provider of the service must obtain verifiable parental consent. This echoes the equivalent provision of COPPA which appears to have partly inspired it and provides an example of at least one area where the standard in the US and the EU is similar.
The future is already here — it's just not very evenly distributed (William Gibson)
It is hard to avoid the conclusion that the future of privacy law would appear to be European. While most of the world has enthusiastically embraced US technology companies and their products, they have also adopted European-style data protection laws. This is a trend which is likely to continue under the GDPR because of the very wide territorial scope claimed by the regulation in Article 3. That article provides that the GDPR will apply to companies who offer goods and services to European data subjects (even if the company itself is not based in the EU). Even the UK, soon to leave the EU, has conceded that it will implement the GDPR in full. The influence of the GDPR will also be spread by data processing agreements which will contractually require that US controllers and processors meet the standards set by European counterparties.
In October 2015, the Court of Justice of the European Union (CJEU) struck down the Safe Harbor regime for the transfer of personal data from the EU to the US. In March of this year, the Irish Data Protection Commissioner petitioned the court to refer the European Commission’s standard contractual clauses to the CJEU in order to determine whether they meet the standard of protection for data subjects required under European law. The consequences could be far-reaching as the standard contractual clauses are widely relied on by companies and organisations transferring personal data between the EU and the US. The latest episode in transatlantic privacy relations is currently being considered by the Irish High Court and at the time of writing, we await the court’s decision.
This article was published in the American Lawyer Global 100 edition, October 2017