Many US-based companies collect cookies, location data, ISP identities, and other information pertaining to website users and their computers without giving much consideration to consumer privacy rules. However, anyone who operates a global website or engages with customer data on a global scale should be aware of the stringency of data privacy protection in the European Union (EU), including impending changes in consumer privacy laws known as the General Data Protection Regulation (GDPR).
Currently, the European Union has some of the world’s strongest data privacy protections. Privacy rights are included in the European Union’s Charter of Fundamental Rights. Those rights protect a wide spectrum of information including names, photographs, addresses, credit card numbers, ISPs, and the like.
However, without final centralized government action, the law for companies operating in Europe is currently murky. For example, in 2012, a court in France ruled that Twitter, a US-based company, was required to reveal French user identities, where users had posted hate speech. Twitter fought that ruling, but ultimately revealed the identification of the users to French prosecutors in compliance with a law enforcement request. Conversely, a German regulatory body, the Unabhaengiges Landeszentrum fuer Datenschutz (ULD, Office of the Data Protection Commissioner) Schleswig-Holstein, Independent State Center for Data Privacy (ULD), ruled that Facebook Inc. (USA) as well Facebook Ltd. (Ireland) could not require users to register their real names in accordance with the German Telemedia Act (“TMG”), ruling that German data protection laws applied to the company, even though it was based in the US.
In an attempt to resolve these conflicting laws, the European Commission has spent the last several years drafting and debating a single EU regulation known as the General Data Protection Regulation (GDPR), which would apply to all 27 EU member nations. The European Parliament approved the law in draft format in March 2014. While it has yet to be finalized, experts predict that the new rules could be approved as early as the end of 2014. The proposed regulation would give EU regulators authority to impose penalties of up to 1 million Euros or up to 2% of global annual revenues of a company, and up to 100 million Euros for negligent data breaches. Companies with more than 250 employees will be required to appoint Data Protection Officers. Companies would be given two years from the law’s passage to achieve full compliance.
Here in the US, data protection laws exist, but there is no overarching law as in the EU. Further, in attempting to comply with US laws, companies may find themselves in conflict with foreign laws in jurisdictions in which they are doing business. For instance, it is prohibited to transfer personal data from the EU to a non-EU country which does not have adequate protection for personal information in place. Many commentators have opined that EU lawmakers are not convinced that the US provides the same level of protection as EU laws or are even adequate to fundamentally protect privacy as viewed from the EU’s perspective. This raises the question of how a US company that only seeks to comply with U.S. privacy laws can legally collect personal data from EU customers.
To attempt to address the thorny problem presented by the dissimilarity of treatment of online privacy under EU and American law, the U.S. Department of Commerce in consultation with the European Commission developed a “safe harbor” framework, the so-called “Safe Harbor principals” (See http://www.export.gov/safeharbor/eu/eg_main_018475.asp) that require, for example, notice to users about the purpose for which it collects and uses information, how to contact the website regarding complaints, and an option to choose whether the information is disseminated to third parties. But notwithstanding the Safe Harbor provisions, the bottom line is that there simply is no comprehensive solution to the problem of incompatible legal treatment of online privacy by the EU and the United States.
If your American based company is operating its website globally, it may be time to seriously consider your policies regarding data privacy and protection. Because of the size of the problem of dissimilar treatment of online privacy by many different countries, the scope of this article cannot even begin to address the number or complexity of issues that arise with respect to data and privacy protection on global networks like the Internet. But, regardless of the magnitude of the problem, one simple bit of advice is universally applicable, if you are operating in a particular geographical marketplace, it will always be wise to acquire competent legal assistance to help you become familiar and compliant with the privacy laws applicable to that jurisdiction.
If you have questions about customer data privacy, you need an attorney who understands your needs and can help you protect your rights. Anna Vradenburgh is a well-respected, business-minded attorney with expertise in trademark issues with extensive experience prosecuting domestic and foreign trademarks. In addition to her prosecution practice, Anna also assists clients in the selection and use of trademarks and represents clients in trademark opposition matters, domain name dispute matters, and before the federal Trademark Trial and Appeals Board. Anna can also assist your company in licensing maters, including drafting and negotiation of trademark licensing agreements. For more information visit the Eclipse Law Group website, or contact Anna at (818) 488-8146.