Jan. 6 — Multinational companies have their eyes on two major issues in the European Union for 2016—the final adoption of a new privacy and data security framework for the EU and the move to replace the invalidated U.S.-EU Safe Harbor Program that eased the transfer of personal data from the EU.
The new privacy regime brought by the General Data Protection Regulation would replace the 20-year-old Data Protection Directive (95/46/EC) in an attempt to bring data protection principles into the 21st Century.
The Safe Harbor, which was invalidated Oct. 6, 2015, by the European Court of Justice (ECJ) (14 PVLR 1825, 10/12/15), permitted transfers of personal data controlled in the EU to the U.S. on the basis that participants complied with principles similar to those in the EU Data Protection Directive. The invalidation affected not only some 4,400 U.S. companies certified in the program but untold thousands of EU companies that relied on the certification to transfer personal data to those companies
General Data Protection Regulation
EU negotiators in December concluded nearly four years of talks on final text of a new General Data Protection Regulation, provisionally agreeing that companies that violate privacy rules might face fines up to 4 percent of their global revenue.
D. Reed Freeman, co-chairman of the cybersecurity, privacy and communications practice at Wilmer Cutler Pickering Hale and Dorr LLP in Washington, said the proposed fines are especially significant to companies handling European personal information.
But privacy advocates see the penalties as a positive move. “This may cause U.S. companies to be more privacy conscious in Europe, which could spill over into the U.S.,” John Simpson, privacy project director for Consumer Watchdog, said.
The agreement is expected to be put to a vote by the full European Parliament in late January and to enter into force within two years.
The proposal includes previously agreed-upon provisions on data portability, data breach notification and a supervisory system based on the concept of the one-stop-shop, meaning that EU data subjects can make complaints to their national data protection authority, which will work with other authorities to resolve the complaint, even if it concerns a data processor in another EU country.
A right to be forgotten principle was also included in the regulation, meaning that companies would be obligated to delete individuals' personal data from the Internet upon demand, provided there are no legitimate grounds for retaining the information.
Negotiators also inserted provisions allowing parents to exercise control over the processing of the data of their children. EU member states would be allowed to set the age at which parental consent is required at a floor of age of 13, but up to 16.
Under another provision, companies would be obligated to appoint data protection officers if the they handle significant amounts of sensitive data or monitor the behavior of many consumers. Small and medium-sized companies would be exempt, so long as data processing wasn't their core business activity.
“The broad extension of jurisdiction by the EU over U.S. online companies, the right to be forgotten and the potential limitation on use of Internet sites by kids under 16 are the most troubling aspects of the proposal, although there are many other troubling aspects,” Christopher Wolf, director of the privacy and information management practice at Hogan Lovells LLP in Washington, said.
A New Safe Harbor?
The U.S. Federal Trade Commission will be helping the U.S. Commerce Department finalize an agreement with the EU to replace the U.S.-EU Safe Harbor. Negotiators are under pressure to announce a deal by the end of January, when the Article 29 Working Party of EU data protection officials have said they will start to enforce the European Court of Justice's invalidation ruling if no replacement agreement is in place.
“This is a hugely important issue for U.S. businesses,” Wolf said. “There are thousands of companies that relied on the Safe Harbor framework.”
Assuming an agreement is reached, that won't necessarily be the end of the story, observers said.
“There could certainly be more court challenges in Europe,” Janis Kestenbaum, a partner in the privacy and security practice at Perkins Coie LLP, in Washington, said. “Some may or may not feel the new Safe Harbor system is adequate or sufficient under EU law. In addition, the ECJ decision gives individual data protection authorities the ability to take a look at the new agreement and decide whether they think it's adequate in adjudicating individual privacy complaints.”
In light of concerns raised in Europe about government access to personal data transferred to the U.S.—the central concern that gave rise to the invalidation of the Safe Harbor—the U.S. Congress is under pressure to quickly pass legislation that would extend to foreigners the right to seek civil damages for unauthorized disclosures of personal information under the U.S. Privacy Act. In October 2015, the House has passed a bill (H.R. 1428), dubbed the Judicial Redress Act (14 PVLR 1929, 10/26/15). A Senate version (S. 1600) is pending before the Senate Judiciary Committee, which is expected to take up the measure in early 2016.
On the broader international front, the Internet Corporation for Assigned Names and Numbers is considering changes to how it handles proxy service providers, which allow domain name registrants to hide their true identities, usually due to valid privacy concerns. But registrars, who often offer proxy services, and intellectual property interests recently agreed on a streamlined process for companies to seek the true identity of infringers without resorting to court orders.
“It's pretty evident that the key large registrars want to do the right thing, and we need to step up and define what the right thing is and work with those different reporting sources to have a dialogue and figure out what that best practice is,” Darcy Southwell, compliance officer at Endurance International Group, which operates registrars and Internet hosting companies, said.
Among these, an accreditation regime for domain name privacy and proxy registration services could go to the organization's board by January. The drafters retreated from a controversial plan to limit proxy domain registration for commercial entities, and the regime is likely to be implemented this year. There will be new rules for proxy services, often bundled with domain registrations and hosting services, that provide a streamlined mechanism for unveiling infringing proxy registrants' identities without a court order.
ICANN's board has proposed replacing the long-controversial WHOis domain name registrant database with a next generation system.
With assistance from Joseph Wright in Washington
To contact the reporter on this story: Alexei Alexis in Washington at [email protected]
To contact the editor responsible for this story: Keith Perine at [email protected]