Europe's General Data Protection Regulation Makes Privacy Global


(Geoff Duncan) #1

Originally published at: https://tidbits.com/2018/05/02/europes-general-data-protection-regulation-makes-privacy-global/

Your inbox has probably been filled with notices from companies updating their terms and privacy policies to comply with Europe’s General Data Protection Regulation (GDPR). But what will it actually mean, both inside and outside the European Union?


(Joseph) #2

This article implies that small companies with only a US presence are somehow going to be held to EU laws and fines.

The EU may claim that it applies to them, but the reality can’t be that absurd.


(Adam Engst) #3

The GDPR is not related to presence, as in where the company is located, it applies to, as Geoff says, “any organization anywhere in the world holding or processing the data of EU citizens.” Here’s some more info on that:

https://www.workplaceprivacyreport.com/2018/01/articles/international-2/does-the-gdpr-apply-to-your-us-based-company/


(Simon) #4

I’m not so sure it’s absurd in this day and age. Your presence is one thing, who you do business with another that’s becoming less and less related to the former.

The EU says that the law applies to whoever does business with its citizens. A small US company is of course free to deny business to EU citizens. But if the do enter business relations with EU citizens, they have to abide by EU law. Doesn’t sound outrageous to me.

That said, I hope the GDPR will increase pressure so we finally take digital privacy more seriously in the US. You’d think with identity fraud increasing, we’d already be motivated, but obviously lobbying powers in Congress are mightier.


#5

I’m not anything resembling a legal scholar, and my reading of this is that if any company outside the EU collects targeted data from EU residents for commercial use, if they violate the privacy protections of the law, then they could be liable.

Personally, I’m 100% OK with this. I wish the US would pass a law at least as strong as this, but unfortunately the chances are most likely zero.

Marilyn


(Joseph) #6

Actually, this has very little to do per se with doing business. Putting a simple website online is enough for them to claim that you have to comply. In other words, they are claiming authority and control of the practices of everybody in the world.

No, you do not have to follow the rules of another country just because you sell a product to somebody there. They might start rejecting your product at customs if you refuse, but laws only apply to the domain you control. I can demand that anybody who wants to look at my art exhibit has to pay $20, but I cannot put that exhibit in my front lawn and expect to be able to enforce it.

This is a power grab by the EU. But in the end, it’s all going to come down to a question of whether the USA will enforce an EU law FOR the EU against a US citizen. The EU courts have no jurisdiction here.

Are there trade and legal agreements between the countries? Sure.

But let’s be clear. Nobody knows whether the US would step in to help the EU prosecute somebody over this, and their claim that it applies to everybody in the world is absurd. Many countries would simply laugh at them.


#7

jtbayly
jbayly

    May 3

Actually, this has very little to do per se with doing business. Putting a simple website online is enough for them to claim that you have to comply. In other words, they are claiming authority and control of the practices of everybody in the world.

The law requires that if a company collects data about an online user in the EU, then that user has to have the right to opt out and/or obtain a copy of the information. If a small company finds this onerous, then they don’t have to collect data. Nobody is forcing them to collect data.

In the US, the low tech HIPPA laws require privacy, security and portability of medical information. Yes, is a PITA to repeatedly fill out the forms for patients and practitioners, but the law ultimately benefits the human beings whose records are collected. One of the many reasons the law was passed was that info was being sold to data collection agencies for commercial and non commercial services.

No, you do not have to follow the rules of another country just because you sell a product to somebody there.

Google and Facebook have had to make big payouts to the EU on information they collected from the EU to use for the US sales of advertising and to third parties. Apple had to part with a few billions of their mega stash for other reasons.

But let’s be clear. Nobody knows whether the US would step in to help the EU prosecute somebody over this, and their claim that it applies to everybody in the world is absurd. Many countries would simply laugh at them.

If they do go after a US Company, it they won’t make an example of Joe Schmoe or Jane Schmane and their little online companies. But recent events add more proof that if personal information of a human being is the product, then that person deserves the right to make a choice about it.

BTW, maybe this whole shebang has something to do with Apple News not being available yet in EU countries though news from EU publishers is served in the US. They do split revenue now with publishers, but I don’t know who sells what. They are negotiating with Google owned Doubleclick, who would be the one to handle revenue.

Marilyn


(Fritz Mills) #8

Ha! My cynical take on this is that under the Trump administration, the US would be more likely to step in to help Russia prosecute a US citizen than it would be to help the EU prosecute a US citizen.


(Joseph) #9

This is not a question about whether privacy and data protection are good. They are.

This is a question of whether the EU has the right to enforce laws on US companies that are not under their jurisdiction.

Apple and Google do business and even have incorporated businesses in those countries. If they want to keep doing business in those countries they must follow the laws of those countries.

This is just like taxes. Ohio can’t even force a small business in Virginia to collect taxes and pay them across state lines. Only Ohio or a federal law can force that.

The EU can claim all they want that they have jurisdiction over every company in the whole world, but unless the USA decides to enforce their law, it simply doesn’t apply to businesses that are solely in the US.

Has the USA made clear in their trade or tax laws that this kind of law will be enforced? I have no idea, but I doubt it. And I wouldn’t want to be the test case.

But let’s be entirely clear on one thing. The EU cannot claim jurisdiction outside its borders. And advocating that they do so simply because they claim to on a law we like is asking for serious problems.

What if the law said that anybody in possession of personal data of an EU citizen had to be armed with a gun during the duration of the possession for the protection of the data? You’d laugh at them. Why? Because they don’t have jurisdiction.


(Neil Laubenthal) #10

You’re right…but it really depends on the definition of “under their jurisdiction”. If a company has a business presence in the EU…then I can see a valid court case to allow a decision as to whether the EU privacy laws apply…but even then will other countries in the world enforce their decision?

It’s also a political issue…google and MS and whoever else has agreed to pay fines may have simply decided that it was easier, cheaper, and more politically expedient to just pay the fine than it was to either fight it or change their business practices…and again, eventually it comes down to whether the US would enforce an EU court decision.

For a small company based in the US with no presence in the EU…then I would argue that the EU should’t have jurisdiction…if EU citizens choose to do business with that company then does the company really have a legal requirement to do what the EU says…or have the EU citizens granted permission by doing business with the company.

The EU will continue to claim they have jurisdiction…and large multinationals will likely abide because they have business interests in the EU…but as I see it…I’m not a lawyer, but it seems like common sense to me…then the EU has no jurisdiction in the US…just like we have no jurisdiction to state that drugs or prostitution which are legal in certain areas of the EU are against the law if a US citizen partakes.


(Joseph) #11

Yep, except Apple and Google etc. all have business presences or enough income in that country that they don’t want to be prevented from doing business there.

That’s the main recourse for the EU. They can say, “Fine. You don’t want to follow our laws regarding data? Then you can’t send physical products into our country.” I’m having a hard time figuring out any recourse for them with digital products except for making it against the law for their consumers to purchase from you. (Or convincing the original court of jurisdiction to take action.)


(Geoff Duncan) #12

It is an open question whether EU data authorities or individuals will attempt to bring a suit against US-based organizations over the GDPR: if it happens, it’s almost certainly going to be a “big data” case, not a mom-and-pop operation using cookies to identify forum users. In big data cases, the legal foundation for action would be granted by the (contested) US-EU Privacy Shield. The Privacy Shield has a complicated background (it’s the replacement for a “Safe Harbor” agreement that was nullified by the European Court of Justice in 2015), but requires the United States cooperate with European data authorities. So, at a very basic level, the US has entered into a treaty with the European Union regarding data privacy, and some of the terms are transparency and redress of complaints brought by EU individuals or data authorities.

The US-EU Privacy Shield (and a corresponding agreement with Switzerland, and probably a corresponding agreement with the UK once Brexit happens) basically requires companies to self-certify that they meet the regulatory requirements; if they’re found not to be complying, the FTC can bring action against them in the United States. Again, whether or not that will actually happen is an open question.

Also, size does matter (a bit). The GDPR requires data controllers outside the EU selling goods or services to consumers in the EU (or profiling them) designate a representative in the EU to respond to any privacy inquiries or complains from data protection authorities or individuals. (It’s in Article 25 if anyone wants to look.) There are three notable categories of exception: firms with fewer than 250 people, firms which “only occasionally” offer goods or services to EU residents, or countries deemed to offer “adequate” levels of legal protection for personal data. The United States’ current protections do not qualify as “adequate” under the terms of EU law. The UK says it’s aiming for better-than-adequate in its final data protection agreement with the EU.


(Joseph) #13

That’s great info. Thanks.


(Simon) #14

I think these issues of who has jurisdiction are a bit more complicated in a digital world. Sure, in dealing with traditional goods that have to actually cross a border the EU can have their customs enforce their laws as @jtbayly pointed out. They can seize goods, the can refuse entry, etc. Along those lines it’s easy to think of jurisdiction as being solely based on territory. In that world it’s no surprise you would expect jurisdiction to stop at the border and hence the US doesn’t get to enforce its prostitution laws for US citizens in the EU as @neil1 points out. (*)

However, this is no longer the world of 1880 where trade consists of actual goods that cross actual borders. In today’s digital economy goods can be personal data (eg. Facebook mining your data to sell to their advertisers). Now where do you block those goods from crossing which border? How do you enforce your laws, especially those designed to protect your citizens from bad market actors?

Sure, the EU could attempt to set up their digital “customs” like the Chinese do with the Great Firewall. Sniff all IP traffic, block IPs and ports, all that nonsense. But who wants that? The only reason China gets away with it is because the Communist Party of China is running an unopposed brutal dictatorship that we in the western world have simply chosen to do business with, human rights be damned. No sane person would want to have the physical border and customs of the 1880s economy implemented in this technical fashion in today’s global economy.

Another approach would be that the US simply tells the EU to get lost with their GDPR. Then how would the EU deal with that if they wish to enforce their citizens’ protection through the GDPR? Well they can do what the US does in such cases. Seize all assets, have managers arrested as soon as they travel abroad into countries with extradition treaties, shutter any local business presence, start prosecuting any other businesses who have business relations with the extraterritorial entity in question, etc. Sounds familiar? Yeah, that’s how the US enforces its laws in other countries (if you’re still having trouble remembering, try these cues: Cuba, Swiss bankers and Nazi gold, VW). The EU could take a page from that same playbook and make life as difficult as possible for any US company that does business with EU citizens but doesn’t want to abide by laws protecting said EU citizens. Sure you can say, so what I’m not in the EU. Doesn’t matter. Your business partners are. Sure, that’s extreme. But it has all been done before, by the US itself actually. So would you really want Google fined in the EU because they do business with you and you chose to give the EU the finger? How long do you think Google will keep your gmail account open then? Or do you want to get arrested next time you fly to Cabo? Do you want your IPs blocked in all of the EU? Probably not. Probably its better to either stick to the GDPR when doing business with EU citizens, or simply chose not to do business with EU citizens. US companies always have this choice regardless of how the US decides to react to GDPR.

That all said, it will be interesting to see how the US reacts when the EU decides to go after a US company that has violated GPDR while doing business with EU citizens. Because of the above concerns, the US will definitely not chose to just say “jurisdiction” and act as if can ignore the issue. There is far too much trade involved for any kind of knee-jerk simplifications and it will be interesting to see what solution the government comes up with.

*) This by the way is not such a clear cut issue. There are countries that do indeed prosecute their citizens for things illegal in country that these citizens have committed abroad - even when it was legal in the country the citizen was at the time. A recent example is Sweden convicting a Swedish citizen for solicitation for an act committed while on vacation in Thailand. Prostitution is illegal in Sweden, but perfectly fine in Thailand. On return to country the citizen was charged and convicted.


(Joseph) #15

I agree with much of what you said above, but this is untrue. Read the “Can you avoid GDPR Compliance by blocking EU visitors from your website?” Section on this page. Some salient quotes:

it covers any and all personal data, even that which you collected prior to GDPR going into effect

under the language of GDPR, if Joe Smith who is a U.S. citizen is signing up for your U.S.-based service, or placing an order through your U.S.-based website - while on an airplane flying over an EU country - by the language of GDPR, the data that Joe provides to you is covered by GDPR.


(Simon) #16

Interesting issues.

But in that case, you could terminate business relations with EU citizens and discard their old data.

This I simply don’t believe is correct. And I don’t imagine the EU is going to battle the US over something which involves somebody who isn’t even an EU citizen doing business in no relationship with the EU. But just to play devil’s advocate, fine then. You refuse to do business with EU citizens and then in your ToS you require of your customers (those from outside the EU who you are doing business with) to confirm that they will not do business with you from within the EU. If they still do so (let’s say on a plane over the EU) they have violated the terms of contract, you stop doing business with them, you delete their data.

In these cases I would assume you’d only be getting yourself into trouble if you refused to delete their data. But why would you do that? You already ended your business relationship. And with no data, no GDPR issues, right?

I have to admit, I’m a bit skeptical of the doom & gloom coming from “compliance specialists”. Compliance lawyers need business. This is a business opportunity. What can actually happen to you legally as a small time business in Godknowswhere, USA is not necessarily the same as the big black picture some of these people now paint. Not saying they’re wrong, I’m just a bit cautious when things sound super urgent and super dangerous.


#17

You’re right…but it really depends on the definition of “under their jurisdiction”. If a company has a business presence in the EU…then I can see a valid court case to allow a decision as to whether the EU privacy laws apply…but even then will other countries in the world enforce their decision?

If a website based in the EU wants to collect data from a visitor in a non EU country they have to give that person the right to approve or not approve. If they do approve, they also have the right to opt out and have the data that was accumulated deleted, and while people remain in the system they must have the ability to easily review any information that was collected. If they don’t approve, the site can block access to the site, or they can allow the visitor to access the site without being tracked. Sites are also required to report any security breeches to the EU within either 2 or 3 days.

It doesn’t matter if the site is selling anything or not. The US Courts ruled that a US based company used information collected in the US serve targeted information in the EU or visa versa, the US gets to collect on the sale of the data. I do wish the US went the extra miles the EU did to ensure privacy, data security and the ability to determine and makes decisions about what can be sold about me.

It’s also a political issue…google and MS and whoever else has agreed to pay fines may have simply decided that it was easier, cheaper, and more politically expedient to just pay the fine than it was to either fight it or change their business practices

Nope, Google and Facebook fought tooth and nail all the way to the US Supreme Court over the tax issue and spent fortunes in attorneys. And Apple fought tooth and nail and probably even made a little dent in their big cash pile to protect its privacy policy. I think MS currently has a privacy case before the Supreme Court, but the one I was referring to was the Netscape monopoly case.

It’s not the way the corporate world works. If a big corporation doesn’t fight a particular battle of this magnitude and settle instead, it it most likely to cause an epidemic of suits that would either bankrupt the company or eventually end up in the Supreme Court anyway.

and again, eventually it comes down to whether the US would enforce an EU court decision.

The EU can enforce rules in the US the same way the US enforces litigation in other countries. They garnish the revenues they collect, or the holdings companies have, within their boundaries. If I remember correctly, the new EU law requires a % of annual income. They can freeze bank accounts and assets while in litigation.

For a small company based in the US with no presence in the EU…then I would argue that the EU should’t have jurisdiction

Whether or not they do or don’t, the government is unlikely to go after some sweet little grandma’s site about knitting and crocheting. But if millions of grandmas and grandpas are signed up with a second or third party ad network, then the network could possibly be sued. If they lost, grannies and grampies might not collect the few dollars from ads served on their site. But Facebook and Google would have to pay up.

Marilyn


#18

The problem is with the persistence of data. Unless it can be confirmed that data was actually deleted and will remain deleted, it can, and probably will be sold and sold and sold ad infinitum.

Marilyn


(Joseph) #19

And there is no way to confirm that every copy of a piece of data has been deleted.


(@lbutlr) #20

It is absolutely not absurd. The law applies to any company that holds data on/for/about EU citizens, regardless of where that company is. Sure, some Chinese company might ignore it, but if it’s anything of any consequence the EU has a large array of tools for dealing with it, including blacklisting the company’s Internet addresses.

As for whether the EU has the right to enforce its laws outside the EU, that ship has sailed long ago with the US having a multi-decade tack record of doing this exact thing. The EU routinely, and successfully, claims jurisdiction over its citizens regardless of where they physically are.

If you do business with the EU in anyway (even if you don’t know it), you better comply with GDPR.

And it’s honestly pretty easy to comply and the regulations are surprisingly sensible for something that came out of a committee.