European countries have long had different notions of privacy than we do in the United States, where privacy has weaker protection than free speech. But several recent developments are leading European privacy norms to have impact in the United States.
Article 8 of European Convention on Human Rights (ECHR) provides that “everyone has the right to respect for his private and family life, his home and his correspondence.” Pursuant to this right, in 1995 the European Union adopted its Data Protection Directive, which generally gives individuals the right to control use of information about themselves. In the United States, while a “right of privacy” has been recognized as an outgrowth of various constitutional provisions, it exists only because of several legislative acts and judicial decisions.
E.U. residents may now enforce privacy in U.S.
In late February, President Obama signed the Judicial Redress Act, Public Law No. 114-126, which allows E.U. residents to enforce their privacy rights in the United States. The new law was required under the provisions of the “EU-U.S. Privacy Shield” negotiated after the European Court of Human Rights held last year that the prior “safe harbor” scheme for protecting personal data was inadequate under E.U. law.
The European court held that the prior scheme was not compatible with the ECHR, including its failure to provide any remedy when the American government accessed data of Europeans, using techniques such as those revealed by former defense contractor Edward Snowden. That ruling threatened the European operations of American technology companies whose operations include transfer of data about European residents to servers in the United States. A coalition of technology companies and industry groups called enactment of the bill “a critical step in rebuilding the trust of citizens worldwide in both the U.S. government and our industry.”
The new law will allow the resumption of data exchanges between the United States and Europe. It requires American companies to commit to “robust” protection of Europeans’ personal data, and requires the companies to respond to complaints of misuse of personal data. The new law also allows residents of E.U. countries and other nations designated by the U.S. Department of Justice to take complaints about private companies’ misuse and insecurity of their private data to the Federal Trade Commission.
Before passing the bill, Senate Republicans added conditions on the Justice Department’s designations of countries that will be covered by the new provisions, such as a requirement that the countries reach data exchange agreements with the United States that do not “materially impede the national security interests of the United States.” The new law also requires that designated countries provide reciprocal privacy rights to American citizens.
The statute also establishes an ombudsman to field complaints over government access to personal data. FTC and ombudsman decisions may be appealed to federal court.
Americans may already file such suits over misuse of personal data under the federal Privacy Act. But most of the lawsuits filed over Snowden’s revelations on behalf of United States citizens have not been successful.
When signing the bill, President Obama said that the new law “makes sure that everybody’s data is protected in the strongest possible way with our privacy laws — not only American citizens, but also foreign citizens.”
Google gives in, somewhat, on the right to be forgotten
One way that Europe has expressed its notions of privacy is with the “right to be forgotten,” the idea that individuals should be able to control what historical information can be found about them online. The European Court of Human Rights established the right in a decision involving a Spanish lawyer who sought to repress a legal notice about the tax foreclosure sale of an apartment he owned with his ex-wife.
The court held in 2014 that while the information could remain in the online archive of the newspaper that published the notice, Google could be forced to remove links from its search results. The ruling led Google, Bing and other search web sites to establish methods for E.U. residents to request removal of links to personal information that is “inadequate, irrelevant or no longer relevant, or excessive.”
But search companies have insisted that the removal from search results should be limited to their European domains, such as google.es or bing.co.uk, with the links remaining in search results on non-European domains, including the main .com domains.
While these domains are directed at non-European nations, the sites can be accessed from within Europe. This led France privacy regulators to demand that the links be removed from non-European sites as well. The sites resisted this demand, but in early March Google announced that it would extend de-listings to its non-European domains when the sites are accessed from the individual European country of the individual who requested the listing, using geolocation techniques. The links will remain in the results for users outside that country accessing the non-European domains.
In a blog post announcing the change, Google global privacy counsel Peter Fleischer wrote, “We believe that this additional layer of delisting enables us to provide the enhanced protections that European regulators ask us for, while also upholding the rights of people in other countries to access lawfully published information.”
Privacy regulators of France and other E.U. nations told Bloomberg BNA that they were evaluating Google’s new plan. But some observers indicated that the regulators were likely to accept the geolocation method only as an interim step towards total removal of the material from all search sites, accessed from anywhere around the world.
This prediction was reinforced in late March when the French agency that oversees data privacy issued a €100,000 ($112,000) fine against Google for failing to apply the “right to be forgotten” link removal requests globally. Google announced that it would appeal.