FIRM NEWS

Article: Data Privacy Protection in the EU, the US, & Around the World

Pullan Kammerloch Frohlinger is a proud member of Primerus, a highly selective society of the world's finest independent boutique law firms. In addition to expanding our reach internationally, and providing our clients with reliable referrals to competent counsel around the globe, we also receive the ongoing benefit of an international exchange of information and current events from our counterparts within Primerus.

The following article, published by Terry Stewart of Stewart and Stewart (Washington, D.C.) is particularly worthy of republication, and is also an excellent example of how PKF stays on the cutting edge of new developments in business and in the law.




Data Privacy Protection in the EU, the U.S.,
and Around the World:
Does the EU's GDPR Provide a Guide Path?

Written by William A. Fennell and Stephanie T. Rosenberg

The European Union’s General Data Protection Regulation (“GDPR”) establishes a clear vision for the level of data privacy protection that it believes is appropriate for developed countries, and, indeed, the world-wide web, at this point in the 21st century. It could become the default standard for all countries that wish to protect their citizens from unwarranted electronic intrusion. An analysis of the approaches taken by the EU and the responses of the U.S. and other countries to date provides a context for consideration of what lies ahead.

U.S. responses to the GDPR

U.S. Government

After the European law went into effect, in May of this year, Commerce Secretary Wilbur Ross wrote an op-ed shedding light on the issues of concern for the U.S. government with respect to the GDPR.[1] The Secretary warned that implementation of the GDPR, as designed, could significantly interrupt transatlantic co-operation and create unnecessary barriers to trade, not only for the U.S., but also for everyone outside of the EU. While the Trump Administration supports the GDPR’s goal of protecting personal online data and continued transatlantic data exchange, it has serious concerns about the lack of clarity of legal obligations for both private and public sector entities, including the U.S. government. Secretary Ross also noted that the costs of complying with the GDPR, particularly for small and medium-sized companies, may result in consumers losing access to digital services as well as reduction in the choices available to them.

Gail Slater, special assistant to President Trump for technology, telecommunications and cybersecurity policy with the White House National Economic Council has claimed that there is no desire to create a U.S. clone of the European rules.[2] While she agrees that “giving consumers more control over their data” and “more access to their data” are good principles, she has also raised concerns that “the right to be forgotten” may not be compatible with U.S. law.[3] She too has stressed the burden of the European rules for smaller businesses.

U.S. tech companies

U.S. tech companies have taken mixed positions with regard to the EU GDPR. Those that have taken a positive stance on the regulation favor the increased consistency in Europe. They say that the GDPR strikes the balance necessary between innovation and the protection of individual rights. For instance, on its website, Cisco states, “The European Union General Data Protection Regulation (GDPR) brings long-anticipated consistency to the data protection landscape in Europe. GDPR embodies the well-recognized privacy principles of transparency, fairness, and accountability. By introducing a risk-based approach, GDPR will enable innovation and participation in the global digital economy while respecting individual rights.”[4] Others have highlighted the challenge of implementation and the significant resources necessary to adequately comply with the regulation.

At a recent hearing of the U.S. Senate Committee on Commerce, Science and Transportation on data privacy policies, Keith Enright, Google’s chief privacy officer, implied that Google’s compliance efforts cost the company billions of dollars and claimed that it took several years of preparation, and “hundreds of years of human time.”[5] Several witnesses underscored the overly burdensome and prescriptive nature of the regulation and the disproportionate negative impact that the regulation has had on small- and medium-sized businesses.[6] They claim that since the implementation of the regulation, smaller companies appear to have exited Europe, websites have gone dark, incumbents are becoming strengthened, and the development of blockchain technology and artificial intelligence has been slowed.

Nonetheless, the urgency engendered by implementation of the GDPR has led many U.S. companies to collaborate with federal government officials to design a U.S. framework for data protection.[7]

Consumer groups

A number of consumer groups are heavily in support of the EU GDPR regulation. About the time that the regulation was implemented, the Transatlantic Consumer Dialogue, a coalition of 70 U.S. and European consumer groups, wrote letters to 95 major internet companies, including Amazon[8], Google, and Facebook along with digital advertisers such as Nestle, Walmart, and JP Morgan Chase, urging them to adopt the core elements of the GDPR as a baseline standard worldwide for all of their services, including in the U.S.[9] In the letter they sent to Facebook, they claim that the GDPR is “the best legal standard currently available to the privacy of […] users.”[10] They argue that if companies are able to provide protections for hundreds of millions of people in Europe, then they are capable of applying the same protections worldwide.[11]

Global GDPR compliance efforts

The GDPR has spurred a shift in the way that ownership of personal information is understood and the way that organizations are approaching data privacy. The regulation requires organizations to completely transform the way that they collect, process, securely store, share and securely wipe personal data.[23] Thus, companies are changing organizational processes and entire business models as a result of the GDPR.[24]

The main objective of the regulation is to harmonize privacy legislation between EU member states. However, because the GDPR applies to any organization that collects, processes, manages or stores the data of European citizens residing in the EU, the regulation applies to major online services and businesses worldwide that target the EU as a market.[25] It applies, for example, to the activities of publishers, banks, universities, much of the Fortune 500, ad tech companies that track consumers across the web, devices, and apps, and Silicon Valley tech giants.[26]

Companies regardless of where they are based can be fined up to four percent of annual global turnover for breaching the GDPR or 20 million euros, whichever is greater. Thus, the regulation is global in scope and in application.

Many companies have updated their privacy policies to explain how they: 1) capture, use, store, and secure user/customer data; 2) capture and use cookie data; 3) capture and use location/mobile data; 4) share user data with company employees, partners and third parties, if applicable; and 5) obtain user consent to receive marketing communications.[27] Facebook,[28] Microsoft,[29] Twitter,[30] Apple[31] and others have made significant changes, often going beyond the GDPR requirements and offering users outside of the EU additional rights over their data as well. However, these rights do not have the force of law behind them, which means that non-EU residents are unable to file a complaint for violating the GDPR.[32]

Studies have analyzed the ability of companies to comply with the GDPR and the extent to which the EU regulation is impacting business practices and policies worldwide. Between February and April of 2018, the IBM Institute for Business Value and Oxford Economics surveyed Chief Privacy Officers, Chief Data Officers, General Counsels, Chief Information Security Officers and Data Protection Officers at 1,500 companies affected by GDPR in 34 countries, representing 15 industries.[33]

According to the study, 60 percent of organizations surveyed are embracing the GDPR as an opportunity to improve privacy, security, and data management rather than simply as a compliance issue; and 22 percent stated that they are using the GDPR as a fully transformational business opportunity to address data responsibility and management.[34] The study shows that companies are cutting down on the amount of personal data they keep (80 percent of companies), reducing the number of people who have access to personal data (78 percent of companies), and disposing of data that is no longer needed (70 percent of companies).[35] However, only 36 percent of surveyed executives said that they would be fully compliant with the EU regulation by its effective date.[36]

Surveys have also highlighted the financial burden imposed by the efforts that companies are making to comply with the GDPR. In March 2018, Netsparker, a Web application security firm, polled 302 C-level security executives at U.S. companies to learn how they are preparing for the GDPR.[37] Overall, they found that businesses are taking the EU regulation more seriously than Payment Card Industry standards and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and 99 percent are “actively involved” in the process to become compliant.[38] Ten percent of Netsparker’s respondents say they will spend more than $1 million to become GDPR compliant.[39] Nearly 24 percent will spend between $100,000 and $1 million, 35.8 percent will spend from $50,000 to $100,000, and 20 percent will spend between $10,000 and $50,000.[40]

Conclusion

With its GDPR, the EU appears to be playing a significant role in shaping the standards that govern the collection, processing, and usage of personal data not only in the EU but also across the world. The EU regulation along with other developments (including the California Consumer Privacy Act signed into law earlier this year and social media companies’ failures to properly protect users’ data) have put pressure on members of Congress to pass a federal law to protect consumers’ privacy. Thus, this is a critical time for U.S. stakeholders to ensure that policymakers successfully pass a law that both adequately protects consumers’ personal data and promotes the country’s global competitiveness. For more information, please contact William A. Fennell.



[1] See Wilbur Ross, EU data privacy laws are likely to create barriers to trade, Fin. Times (May 30, 2018).
[2] Shannon Vavra, Kim Hart & David McCabe, Scoop: The White House looks to coordinate online privacy plan, Axios (June 20, 2018), https://www.axios.com/scoop-the-white-house-looks-to-coordinate-online-privacy-plan-a51691cf-78d9-466e-8deb-27a66b1843c7.html and Cristiano Lima, What’s next for net neutrality, Politico (May 17, 2018), https://www.politico.com/newsletters/morning-tech/2018/05/17/whats-next-for-net-neutrality-221251.
[3] Id.
[4] See Cisco, Our View on GDPR, https://www.cisco.com/c/en/us/about/trust-center/gdpr.html#~tab-readiness-tips (last visited Oct. 29, 2018). See also Oracle, Ready for GDPR? Oracle Marketing Cloud gets you there!, https://www.oracle.com/marketingcloud/about/events/gdpr.html (last visited on Oct. 29, 2018) ( “The Oracle Marketing Cloud welcomes the positive changes the GDPR is expected to bring to our services and we are committed to helping our customers address GDPR requirements that are relevant to our products and services.”).
[5] Examining Safeguards for Consumer Data Privacy: Hearing Before the S. Comm. on Commerce, Science & Transportation, 115th Cong. (2018) (statement of Keith Enright, Chief Privacy Officer, Google LLC).
[6] See id. (statements of Len Cali, Senior Vice President of Global Public Policy, AT&T Inc., Rachel Welch, Senior Vice President of Policy & External Affairs, Charter Communications, Inc., Keith Enright, Chief Privacy Officer, Google LLC, and Guy Tribble, Vice President for Software Technology, Apple, Inc.).
[7] See Tony Romm, The Trump administration is talking to Facebook and Google about potential rules for online privacy, Wash. Post (July 27, 2018), https://www.washingtonpost.com/technology/2018/07/27/trump-administration-is-working-new-proposal-protect-online-privacy/?utm_term=.921d85c61f60.
[8] See Letter from Public Citizen and Center for Digital Democracy to Jeffrey P. Bezos, Chief Executive Officer, Amazon (May 23, 2018), https://privacyinternational.org/sites/default/files/2018-05/Bezos%20Sample%20GDPR.pdf.
[9] See TACD members send letter to companies urging them to adopt the core elements of the GDPR as a baseline standard (May 24, 2018), http://tacd.org/tacd-members-send-letter-to-companies-urging-them-to-adopt-the-gdpr-as-a-baseline-standard/ and Public Citizen and Center for Digital Democracy Release Sign-on Letter Urging Companies to Adopt Europe’s new Data Protection Rules (May 24, 2018), https://www.citizen.org/media/press-releases/if-companies-can-protect-user-data-europe-they-can-protect-it-everywhere.
[10] Letter from the Trans Atlantic Consumer Dialogue coordinated by Consumers International to Mark Zuckerberg, Chief Executive Officer, Facebook (Apr. 9, 2018), http://tacd.org/wp-content/uploads/2018/04/TACD-letter-to-Mark-Zuckerberg_final.pdf.
[11] See id.
[12] 83 Fed. Reg. 48600 (Dep’t Commerce Sep. 26, 2018).
[13] Developing the Administration’s Approach to Consumer Privacy, 83 Fed. Reg. 51449 (Dep’t Commerce Oct. 11, 2018).
[14] CONSENT Act, S. 2639, 115th Cong. (2018).
[15] An edge provider is any individual or entity that provides any content, application, or service over the Internet, and any individual or entity that provides a device used for accessing any content, application, or service over the Internet. Edge providers include, for example, Google, Amazon, Netflix, and Facebook. See David Post, Does the FCC really not get it about the Internet?, Wash. Post (Oct. 31, 2014).
[16] See Online Transparency & Personal Data Control Act, H.R. 6864, 115th Cong. (2018) and Suzan DelBene, If the US fails to protect citizens’ data, it will lag behind, Fin. Times, June 28, 2018, available at https://www.ft.com/content/d8a70f22-7a12-11e8-af48-190d103e32a4.
[17] Id.
[18] Id.
[19] Mark R. Warner, Potential Policy Proposals for Regulation of Social Media and Technology Firms (July 30, 2018), https://regmedia.co.uk/2018/07/30/warner_social_media_proposal.pdf (last visited Oct. 29, 2018). See also Ariel Shapiro, Democratic Sen. Warner has a new policy paper with proposals to regulate Big Tech companies, CNBC (July 30, 2018), https://www.cnbc.com/2018/07/30/sen-warner-proposes-20-ways-to-regulate-big-tech-and-radically-change.html.
[20] Id.
[21] Mark R. Warner, It’s past time to learn from failures, adapt our laws to the internet age: Mark Warner, USA Today (Aug. 1, 2018), https://www.usatoday.com/story/opinion/2018/08/01/congress-must-meet-privacy-data-social-media-challenges-column/875414002/.
[22] See Cal. Assem. Bill 375, 2018, Reg. Sess. ch. 5 (Cal. 2018). Available at: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.
[23] DLA Piper, EU General Data Protection Regulation – Key Changes, https://www.dlapiper.com/en/uk/focus/eu-data-protection-regulation/key-changes/ (last visited Oct. 29, 2018).
[24] See Cynthia J. Cole & Neil Coulson, Why and How Europe’s New General Data Protection Regulation Impacts US Companies, Wolters Kluwer (2017), http://images.go.wolterskluwer.com/Web/WoltersKluwer/%7Bd6722fe1-0de3-4cd1-80de-c0c45e42a245%7D_WKLSW_Effacts_US_GDPR_and_effacts_paper.pdf?_ga=2.136616179.253643296.1540825386-1283023162.1540825386 and Sebastian Greger, The GDPR is a call to practice ethical design (Jan. 1, 2018), https://sebastiangreger.net/2018/01/gdpr-is-a-call-to-practice-ethical-design/.
[25] Justin Jaffe & Laura Hautala, What the GDPR means for Facebook, the EU and you, CNET (May 25, 2018), https://www.cnet.com/how-to/what-gdpr-means-for-facebook-google-the-eu-us-and-you/.
[26] Nitasha Tiku, Europe’s New Privacy Law Will Change The Web, And More, Wired (Mar. 19, 2018), https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/.
[27] Alap Shah, What is GDPR, Which Companies Are Talking About It And Why?, Forbes (May 24, 2018), https://www.forbes.com/sites/alapshah/2018/05/24/what-is-gdpr-which-companies-are-talking-about-it-and-why/#5857b54c7976.
[28] See Erin Egan, Complying With New Privacy Laws and Offering New Privacy Protections to Everyone, No Matter Where You Live, Facebook Newsroom (April 17, 2018), https://newsroom.fb.com/news/2018/04/new-privacy-protections/. But see David Ingraham, Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law, Reuters (Apr. 18, 2018), https://www.reuters.com/article/us-facebook-privacy-eu-exclusive/exclusive-facebook-to-put-1-5-billion-users-out-of-reach-of-new-eu-privacy-law-idUSKBN1HQ00P.
[29] See Julie Brill, Microsoft’s commitment to GDPR, privacy and putting customers in control of their own data, Microsoft On the Issues (May 21, 2018), https://blogs.microsoft.com/on-the-issues/2018/05/21/microsofts-commitment-to-gdpr-privacy-and-putting-customers-in-control-of-their-own-data/.
[30] See Twitter, Welcome to Twitter’s GDPR Hub, https://gdpr.twitter.com/en.html (last visited Oct. 29, 2018).
[31] See Apple, Privacy Governance, https://www.apple.com/legal/privacy/en-ww/governance/ (last visited Oct. 29, 2018).
[32] Justin Jaffe & Laura Hautala, What the GDPR means for Facebook, the EU and you, CNET (May 25, 2018), https://www.cnet.com/how-to/what-gdpr-means-for-facebook-google-the-eu-us-and-you/.
[33] IBM Study: Majority of Businesses View GDPR as Opportunity to Improve Data Privacy and Security, PR Newswire (May 16, 2018), https://www.prnewswire.com/news-releases/ibm-study-majority-of-businesses-view-gdpr-as-opportunity-to-improve-data-privacy-and-security-300649173.html and IBM Institute for Business Value, The end of the beginning—Unleashing the transformational power of GDPR (May 2018), https://public.dhe.ibm.com/common/ssi/ecm/86/en/86015886usen/86015886usen-01_86015886USEN.pdf.
[34] See IBM, supra note 33 at 2, 6.
[35] See id. at 12.
[36] See id. at 2.
[37] Kelly Sheridan, Businesses Calculate Cost of GDPR as Deadline Looms, DarkReading.com (Apr. 12, 2018), https://www.darkreading.com/risk/businesses-calculate-cost-of-gdpr-as-deadline-looms/d/d-id/1331527?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple and Robert Abela, Netsparker GDPR Survey: 10 Percent of C-Level Security Execs Say GDPR Will Cost Them $1M+ (Apr. 12, 2018), https://www.netsparker.com/blog/news/gdpr-survey-executives/.
[38] Id.
[39] Id.
[40] See id.
[41] See generally DLA Piper, Global Protection Laws of the World—World Map, https://www.dlapiperdataprotection.com/ (last visited Oct. 29, 2018) (comparing data protection laws around the world). See also Commission Nationale de l’Informatique et des Libertés, Data protection around the world, (Apr. 9, 2018), https://www.cnil.fr/en/data-protection-around-the-world (providing a map that documents the level of data protection in each country and whether the country has been recognized by the EU as ensuring an adequate level of data protection).
[42] The Consumer Privacy Bill of Rights would have provided consumers with the right to exercise control over the collection of their personal data and would have created a new right called “respect for context” which establishes the right not to be surprised by how one’s personal data is used. Congress failed to enact the bill at the time. See Daniel J. Weitzner, How Cambridge Analytica, Facebook and Other Privacy Abuses Could Have Been Prevented, Lawfare (Apr. 4, 2018), https://www.lawfareblog.com/how-cambridge-analytica-facebook-and-other-privacy-abuses-could-have-been-prevented.
[43] See Baker and McKenzie, GDPR National Legislation Survey (Jan., 2018), https://tmt.bakermckenzie.com/-/media/minisites/tmt/files/gdpr_national_legislation_survey.pdf?la=en (providing an overview of the current legislative activities in terms of national data protection laws supplementing the GDPR in 27 of the 28 EU Member States).
[44] Adam Satariano, G.D.P.R., a New Privacy Law, Makes Europe World’s Leading Tech Watchdog, N.Y. Times (May 24, 2018), https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.html.
[45] The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the U.S. as providing adequate protection. See European Commission, Adequacy of the protection of personal data in non-EU countries, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en (last visited Oct. 29, 2018).
[46] Stéphanie De Smedt, Yves Van Couter & Lola Lenfant, EU and Japan agree on free flows of personal data—Will South Korea be next in line? (July 26, 2018), https://www.lexology.com/library/detail.aspx?g=b26f3e13-84f1-4b34-9450-8453663493f0.
[47] Id.
[48] See Sara Merken, EU, South Korea Officials in Talks on Data Protection Pact (1), Bloomberg Law (Oct. 29, 2018), https://news.bloomberglaw.com/privacy-and-data-security/eu-south-korea-officials-in-talks-on-data-protection-pact-1. See also Alex Wall, GDPR matchup: South Korea’s Personal Information Protection Act, International Association of Privacy Professionals, Inc. (Jan. 8, 2018), https://iapp.org/news/a/gdpr-matchup-south-koreas-personal-information-protection-act/ (providing a table that compares aspects of the GDPR with South Korea’s data protection law).
[49] See Satariano, supra note 44.
[50] Id.
[51] See Satariano, supra note44 and Melanie Ramey, Brazil’s New General Data Privacy Law Follows GDPR Provisions, Covington & Burling LLP, Inside Privacy (Aug. 20, 2018), https://www.insideprivacy.com/international/brazils-new-general-data-privacy-law-follows-gdpr-provisions/.
[52] Satariano, supra note44.
[53] Graham Greenleaf, Global Convergence of Data Privacy Standards and Laws: Speaking Notes for the European Commission Events on the Launch of the General Data Protection Regulation (GDPR) in Brussels & New Delhi, 25 May 2018 (University of New South Wales Law Research Series, Law Research Paper No. 18-56, 2018), available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3184548.
[54] See id.
[55] Daily News, European Commission, European Commission endorses provisions for data flows and data protection in EU trade agreements (Jan. 1, 2018), http://europa.eu/rapid/press-release_MEX-18-546_en.htm. See also Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World (Oct. 1, 2017).
[56] See id.
[57] See id.
[58] See Diletta De Cicco, et al., Exporting EU Privacy Regime Through Trade Instruments?, Mayer Brown (Mar. 19, 2018), https://www.mayerbrown.com/exporting-the-eu-privacy-regime-through-trade-instruments-03-19-2018/#_edn1 (indicating in footnote 1 that the text of the proposal had been leaked).
[59] See Horizontal provisions for cross-border data flows and for personal data protection (in EU trade and investment agreements), http://trade.ec.europa.eu/doclib/docs/2018/may/tradoc_156884.pdf.
[60] See Letters from Robert Lighthizer, U.S. Trade Representative to Paul Ryan, Speaker, U.S. House of Representatives, Orrin Hatch, President Pro Tempore, U.S. Senate, Charles Schumer, Democratic Leader, U.S. Senate, and Nancy Pelosi, Democratic Leader, U.S. House of Representatives (Oct. 16, 2018), available at https://ustr.gov/sites/default/files/20181017004903138_2.pdf.
[61] Bipartisan Congressional Trade Priorities and Accountability Act of 2015, § 102, 19 USC § 4201 (2015) (extended 2018).
[62] See Privacy Shield, Fed. Trade Comm’n, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/privacy-shield (last visited Nov. 9, 2018).
[63] See Protection of Privacy in the Spotlight at Second Annual Review of EU-US Data Transfer Pact, 22 BRIDGES WEEKLY 35, Oct. 25, 2018 at 1. See also Press release, European Commission, Joint Press Statement from Commissioner Věra Jourová and Secretary of Commerce Wilbur Ross on the Second Annual EU-U.S. Privacy Shield Review (Oct. 19, 2018), http://europa.eu/rapid/press-release_STATEMENT-18-6157_en.htm.
[64] See Press Release, European Parliament, Suspend EU-US data exchange deal, unless US complies by 1 September, says MEPs (July 5, 2018) http://www.europarl.europa.eu/news/en/press-room/20180628IPR06836/suspend-eu-us-data-exchange-deal-unless-us-complies-by-1-september-say-meps and Resolution on the adequacy of the protection afforded by the EU-US Privacy Shield, Eur. Parl. Doc. 2018/2645(RSP) (2018).
[65] See Protection of Privacy in the Spotlight at Second Annual Review of EU-US Data Transfer Pact, supra note63.

Disclaimer: This material is for the reader's information only. It is not to be construed as legal advice.

Back to News List