European Union Imposes Extraterritorial Privacy Obligations on U.S. Businesses
Privacy & Information Security Update
Date: May 16, 2014
One of the burning questions in international data protection regulation is the degree to which one nation, or group of nations, can impose its regulatory standards on global businesses. More specifically, the assertion of cross-border jurisdiction by European regulators has been a topic of much discussion, question and anticipation. We now have received, if not an answer or clarity, a clear indication the European Union intends to extend its jurisdiction practically as far as technologically possible. Earlier this week, the Court of Justice of the European Union (ECJ) released an historic and much-anticipated opinion that, in a narrow sense, may change the future of Internet searching for people and businesses located not only in the EU, but throughout the world, and in a broader sense alter the obligations of non-European businesses to conform to European standards.
In 2010, a Spanish national lodged a complaint with the Spanish Data Authority against Google Spain and Google, Inc. (a U.S. corporation), claiming that a Google Internet search of his name returned “outdated and irrelevant” personal information about the auction of his home in 1998. The complainant sought to compel Google to remove or conceal the information, even if it was entirely accurate, so that it no longer appeared in search results. The Spanish Data Authority ordered Google to remove the data and render future access impossible. Google then appealed the decision to the ECJ.
The ECJ was tasked with determining whether its citizens had a so-called “right to be forgotten” or “right to erasure” that would allow them to require the search engine to “delete” links to information from the Internet, including, in some cases, public records. The ECJ concluded that the automated indexing of information constituted a “processing of personal data,” subjecting the practice to the EU Privacy Directive and its protections provided for the privacy of EU citizens. The Court observed that “even initially lawful processing of accurate data may, in the course of time, become incompatible with the [1995 European Data Protection] directive where, having regard to all the circumstances of the case, the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.”Accordingly, the ruling only compels Google to remove its link to the information, rather than the information itself.
Following the ruling, a data subject may make a request directly to the operator of a search engine, who is then obligated to examine the request’s merits. If the request is denied, the data subject may appeal the decision to the supervisory authority. It has been reported that Google was inundated with removal requests only hours after the ECJ ruling. Sources at Google have indicated they have yet to establish a procedure to deal with the millions of requests they expect to receive. Both the legal and practical implications of the ruling – not only for Google, but for the future of Internet searching – are certain to be widespread and unpredictable.
The ECJ also ruled that EU citizens’ fundamental right to privacy overrides not only “the economic interest of the operator of the search engine but also the interest of the general public” in having that information unless the public’s right to access the information is somehow justified – for example, in the case of a public figure. The ruling’s opponents consider it an act of censorship requiring Google to effectively “edit the Internet,” which calls into question serious issues regarding freedom of speech and freedom of the press.
Arguably, the most important implication of the ECJ ruling, however, is its extraterritorial reach. Though the personal information in question was that of an EU citizen, Google, Inc. is a U.S. corporation that was ordered by the ECJ to delete its search links. On leave from her role as EU Justice Commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in California or anywhere else in the world,” and that “the data belongs to the individual, not the company.” Prior to this decision, the EU Privacy Directive’s extraterritorial application and erasure rights were unsettled. The proposed EU General Data Protection Regulation – which would supersede the Privacy Directive with a single unified law – provides explicit direction regarding erasure rights and extraterritorial reach. The EC is aiming to adopt the Regulation in 2014, with a two-year transition period before it takes effect. It is unclear how the ECJ ruling or its practical effects that become known prior to the Regulation’s adoption might impact how the Regulation ultimately codifies erasure rights.
Accordingly, U.S. businesses are facing a privacy landscape wherein they are subject to the EU privacy laws even if they are not located in, or doing business in, the EU so long as they are storing or processing an EU citizen’s personal information. Furthermore, the ECJ decision does not limit its holding to search engines or data otherwise stored on the World Wide Web and could arguably be applied in the employment context by requiring an employer to, for example, “delete” information regarding reasons an individual’s employment was terminated.
FOR MORE INFORMATION
For more information, please contact:
Roy E. Hadley, Jr.
Thomas F. Zych
Darcy M. Brosky
Craig A. Foster
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2014 THOMPSON HINE LLP. ALL RIGHTS RESERVED.