The European Commission's call today for stronger data privacy protections could help the web's biggest data collectors like Google and Facebook fight data requests from the U.S. government.
As expected, the Commission published a collection of recommendations for stronger data protections, including a set of guidelines for a more stringent program that has afforded U.S. firms the ability to transfer personal data across borders with legal amnesty.
The proposed changes come as a result of ongoing revelations about the National Security Administration's controversial data surveillance programs. Among them are updates to a safe harbor agreement that has been in place since 2000. The deal enables more than 3,000 companies from General Mills to Google and Facebook to satisfy EU privacy regulations in exchange for self-certifying that they abide by certain rules.
Among the list of possible alterations are 13 recommendations for changes to the safe harbor rules intended to alleviate what the Commission called a scheme that is "deficient in several respects." The EU rulemaking body said "remedies should be identified by summer 2014."
A preliminary set of guidelines would require U.S. firms in the safe harbor program to publicly disclose privacy policies and "link to the Department of Commerce Safe Harbour website which lists all the 'current' members of the scheme."
The EU also proposed tougher enforcement mechanisms for firms that run afoul of the regulatory program.
"Because there's so much commerce between the U.S. and Europe, there's all sorts of personal data that really must flow from Europe to the U.S. for the global economy to work," said Mason Weisz, a counsel at law firm ZwillGen who has assisted companies in joining the safe harbor program.
Changes 'devastating'
Big changes to the program "would be devastating for U.S. companies," said Linda Goldstein, partner at law firm Manatt, Phelps & Phillips, who helps clients navigate privacy regulations. For one thing, she suggested, firms would have to segregate databases containing U.S. consumer data from EU consumer data, whether it be for marketing purposes or other business purposes such as human resources.
Though they suggest major changes to the safe harbor program could have a significant impact on the ability for U.S. companies to conduct business in the European market, legal advisors like Ms. Goldstein and Mr. Weisz are taking a wait-and-see stance for now.
"I don't really think that there's anything that brands can or should do now because this problem is a government problem," said Ms. Goldstein.
The Commission's move could transform the safe harbor program into a political football, she argued. Indeed, firms including Google have vocally complained about government data requests. If the EU pressures the U.S. government to restrict its data surveillance activity in order to maintain streamlined business operations, it could in the longrun please companies that want the federal government to curtail demands for data for security and law enforcement purposes.
The Commission today also called for "a swift adoption of the EU's data protection reform," a legislative framework "with clear rules that are enforceable also in situations when data is transferred and processed abroad," calling it "more than ever, a necessity."
