In January, the European Union (E.U.) proposed a new regulation on data protection. Although the E.U. proposal is years away from being finalized, the fundamental differences in how Europe and the U.S. think about privacy have caused heated debate. Investigations that require the collection of data, such as potential violations of the Federal Corruption Practices Act, possible financial fraud, and money laundering, are most likely to create conflicts between compliance with U.S. law and with the E.U. law. Personal data is defined as any information that directly or indirectly identifies a person. Therefore, the E.U. proposal would also apply to the aggregation of data, such as a person’s IP address or the click-through pattern.
When companies in the U.S. work to comply with U.S. laws, they are allowed to collect electronic information from employees. The U.S. government expects companies to investigate themselves thoroughly and to be tough on employees. On the other hand, because the Europeans traditionally believe that a person owns his or her own data, even information stored on company computers and servers is protected by E.U.’s data privacy regulation. Usually, in-house counsel would get away with this hurdle by obtaining voluntary employee consent. However, under the proposed E.U. regulation, even freely given employee consent would be per se invalid. Companies must obtain “specific, informed, and explicit consent” in order to use a person’s data.
The proposal does not exempt data collection for compliance with a non-E.U. member requirement, thus making gathering evidence for U.S. legal compliance purposes more difficult. For example, National Security Letters (NSLs) issued by the FBI pursuant to the Patriot Act will not be recognized in the E.U. NSLs are used mainly to obtain “non-content information” like transaction records, phone numbers dialed or email addresses mailed to and received from to assist in the investigation of terrorism, fraud and organized crime. NSLs also prevent the company from telling their customers that their personal data has been disclosed. For any U.S. company to disclose personal data of E.U. residents pursuant to an NSL, an approval by the Data Protection Authority of an E.U. member state would have to be obtained first. Companies that fail to do so would be subject to fines of up to 2% of their annual global revenue.
The White House has yet to propose the actual text for its Consumer Privacy Bill of Rights, and the European Commission is urging the U.S. to catch up with Europe on data privacy. For either privacy law to work in a global context there needs to be some commonality between the two approaches. On March 19, a high-level joint EU/US Conference on Privacy and Protection of Personal Data was hosted. Comments in the joint statement after the meeting were high on agreed targets, i.e., more transparency for consumers about how their data is used and more access to their data held by companies, but low on agreed solutions. As the E.U. pushes for a single privacy law, Obama’s administration has called for voluntary privacy codes of conduct to be developed with input from companies, privacy advocates and other groups. Finding mutually acceptable ground will be difficult due to overwhelming cultural difference between the two sides. Perhaps the E.U.’s approach will never be satisfactory to Americans’ litigious mentality.