With New EU Data Rules to Protect Personal Info, US Companies May Have to Decide Whose Laws to Break

“Article 43a appears to be in reaction to the National Security Administration’s PRISM program, which was recently brought to light by Edward Snowden.” (Gerald Ferguson and Alan Pate of BakerHostetler)

Earlier this month, the EU Parliament’s Civil Liberties Committee (LIBE) approved a set of proposed amendments to the EU Data Protection Regulation that could have important repercussions for US companies that gather and process personal information of European consumers.

Attorneys Gerald Ferguson and Alan Pate of law firm BakerHostetler explain:

“Included in the … package is Article 43a, a provision that restricts controllers or processors of EU data from disclosing that data to third-country administrative or judicial authorities. Under proposed Article 43a, if a third-country authority asks a company to disclose EU data, that company must seek permission from the relevant European national data protection authority and inform the data subject of the disclosure.

That requirement could put US companies in a bind, say Ferguson and Pate:

“If ultimately enacted, this requirement could leave many U.S. businesses, which hold data of EU nationals, facing a very difficult choice: (1) violate U.S. law by not complying with a demand from US law enforcement authorities [including the NSA or other government agencies]; or (2) violate EU law and face stiff penalties.”

As such, the provision could end up disrupting trade between the US and Europe:

“Ultimately, this conflict of laws could have severe consequences for Inter-Atlantic trade. Many routine business interactions between U.S. and EU companies (e.g. the processing of online sales transactions) could potentially be impacted.”

What to do now? Start planning, write Cedric Burton, Christopher Kuner, and Anna Pateraki of Wilson Sonsini:

“[C]ompanies should consider how these key principles could impact their operations, strategize on whether they will affect their data protection strategy and compliance programs, and begin planning modifications to their existing practices if necessary.”

And cross your fingers:

“The LIBE vote is an important step in the legislative process, but the road ahead is long and many obstacles could still slow down the possible adoption of the new EU data protection framework.”

For your reference, here’s a look at the other key provisions of the proposed law:

1.       New procedures for responding to law enforcement information requests:

“[T]he LIBE draft would require both data controllers and data processors to notify [data protection authorities (DPAs)] about requests to disclose personal data to courts or regulatory authorities in countries outside of the EU, and to obtain formal approval of DPAs before turning over European data. The LIBE text also provides that ‘any legislation which provides for extra-territorial access to personal data processed in the Union without authorization under Union or Member State law should be considered as an indication of a lack of adequacy.’” (Cedric Burton, Christopher Kuner, and Anna Pateraki of Wilson Sonsini)

2.       Stiffer penalties for violations:

“The fines have been significantly increased and can now amount to €100 million or up to 5 percent of a company’s annual worldwide turnover, whichever is greater.” (Burton, Kuner, and Pateraki)

3.       Companies must provide a “right to erasure:”

“According to the Civil Liberties Committee, any person would have the right to have his or her personal data erased if he or she requests it. To strengthen this right, if a person asks a ‘data controller’ (such as an Internet company) to erase his or her data, then the firm should also forward the request to others where the data are replicated. The ‘right to erasure’ would cover the ‘right to be forgotten’ as proposed by the Commission.” (Emma Thomas at DLA Piper)

4.       “Explicit consent” is required from consumers:

“Where processing is based on consent, an organisation or company could process personal information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. A person’s consent means any freely given, specific, informed and explicit indication of his/her wishes, either by a statement or by a clear affirmative action. There are in addition amendments to the basis of using legitimate interests of the data subject as a base for processing.” (DLA Piper)

5.       New categories of personal data:

“The … text introduces new concepts with regard to the definition of personal data: (1) ‘pseudonymous data,’ defined as personal data that ‘cannot be attributed to a specific individual without the use of additional information,’ as long as such information is kept separately and secure; and (2) ‘encrypted data,’ identified as personal data that is ‘rendered unintelligible’ to unauthorized access due to security measures (Article 4 (2a) and (2b)). The LIBE amendments clarify that such types of data remain personal data under the Regulation, but they are subject to less burdensome requirements.” (Burton, Kuner, and Pateraki)

6.       Important new limitations on consumer profiling:

“[The Ministers] set limits to profiling, a practice used to analyze or predict a person’s performance at work, economic situation, location, health or behavior. Profiling would only be allowed subject to a person’s consent, when provided by law or when needed to pursue a contract. Furthermore, such a practice should not lead to discrimination or be based only on automated processing. Any person should have the right to object to any profiling measure, and certain data sets would be prohibited for use in a profiling situation, such as administrative sanctions and judgments and gender identifiers.” (Thomas)

7.       Companies based outside of Europe must comply:

The LIBE text provides that the Regulation would apply to both controllers and processors not established in the EU when offering services to individuals in the EU, even without payment, or when monitoring such individuals (‘monitoring’ seems to involve tracking and the creation of profiles) Data processors would be directly subject to the Regulation, meaning that it would apply to a variety of online service providers located outside of the EU.” (Burton, Kuner, and Pateraki)

The updates:

Read more on Data Protection at JD Supra Law News>>