Are E.U. and Google Data Policies the Future of Online Privacy?

Catherine Dunn

Corporate Counsel January 27, 2012

It’s been a big week for data privacy. First Google announced its new privacy policy, which will sync user information across all company products, including search results. Then the European Union announced a proposed overhaul of its data protection law. And next, the Federal Trade Commission and the U.S. Department of Commerce are expected to unveil their own communiqués on U.S. privacy policy. (And in case it’s not already on your calendar, Thursday was also Data Privacy Day!)
What does this sudden explosion in attention to data privacy mean for companies?
“I think the first takeaway is just how consequential and pervasive the issue of privacy, information security, and regulation of data protection are to business, commerce, and international trade,” says Alan Charles Raul, a partner at Sidley Austin in Washington, D.C., and global coordinator of the firm’s privacy, data security, and information law practice.
Part of the wave of new policies is just about keeping up with the forward momentum of the digital age. The E.U. had not revised its data protection policy since 1995. For its part, Google—as the Wall Street Journal noted—is increasingly in competition with Facebook for market leadership in leveraging personal data of users.
Because of the global interconnectedness of many online enterprises, a data-policy change in Europe or at Google’s California headquarters should not be viewed too narrowly. If a company in the U.S. is offering services to individuals in the E.U., for instance, it is likely this new proposal would apply to how they handle their overseas customers’ data, Raul says.
He highlights several key items for businesses in the E.U. plan. First, under the proposal, a company could be fined up to 2 percent of its annual worldwide revenue for committing a violation. That should capture the attention of both compliance officers and boards of directors, Raul says.
The proposed legislation also incorporates the continent’s notion of the “right to be forgotten”—that is, for example, the right of consumers to compel companies and third parties to delete their information from the Internet. (As Constitutional scholar Jeffrey Rosen recently pointed out on these web pages, that idea is quite divergent from the American concept of freedom of expression.)
The E.U. proposal does incorporate some U.S. themes, too, says Raul. It would impose affirmative data security obligations on companies, as well as data breach notification requirements. Though Raul thinks that the 24-hour proposed turnaround time for data breach notification is not entirely feasible or desirable.
However, like existing E.U. privacy law, the proposed directive does not apply to government requests for information in the context of national security.
The E.U. proposal process is analogous to that of a bill that is introduced to the U.S. Congress. It would need to be approved by the full E.U. Parliament and by the European Council of member states. The proposal could be modified during that time, says Raul. And if the proposal is eventually finalized and approved, it would not take effect for two years after passage.
In the meantime, however, the proposal will inevitably serve as a point of reference for two U.S. government proposals that are due “any day now,” says Raul. The Commerce Department is expected to release its framework on data privacy policy, to be followed by the release of a final staff report on privacy from the FTC.
“We’ve got these other two major privacy shoes to drop,” Raul says. “These will be significant items that the privacy community, as well as any business, will have to digest.”

From 27 January 3012