1. Data privacy concerns entwined with anti-globalization
Anti-globalization has become a serious theme in Western countries. Right-wing and left-wing political movements converge on the issue. Centrist elites acknowledge that the great wave of borderless commerce since the end of the Cold War has imposed unanticipated, serious harm on local work forces.
Recent political developments around the world underscore the trend. A consensus is developing that something must be done, with no agreement on what. In addition, the nature of security risks has changed: both terrorism and financial and industrial crime increasingly inhabit the shadow world created by the Internet. At a base level, substantial constituencies are now re-examining the main economic drivers of the modern world, with potentially severe political and commercial ramifications.
The same dynamic of expansion and reaction is now confronting the movement of data. On the one hand, most people recognize the benefits of technology. On the other hand, many scapegoat technology as the problem. "Security" and "privacy" are the surrogate targets for these concerns. They exert the same rallying power as "jobs," "income equality" and "immigration." The "cloud" and "networking" may inspire the same suspicions as "outsourcing" and "free trade." However, there is a major difference—there are no simple fixes for macroeconomic trends; but there is a sense that there are available methods to address privacy concerns. These include law, regulation, computer mechanics and cyber warfare.
Concern about data privacy and security, whether for intrinsic reasons or as a vehicle to advance other agendas, has been building as a result of various high-profile incidents, including the multiple reports of vast commercial hacking, Snowden's exposé of government surveillance activities, and cyber breaches of sensitive government personnel data. The tipping point may have been reached as a result of the presumptive Russian/WikiLeaks involvement in the US political process. Until those events occurred, "hacking" was considered something that occurred largely outside of the overt political sphere, instead impacting private institutions (such as banks) and individuals (suffering identity theft) or occurring behind the closed doors of national security agencies. The extraordinary infiltration and disclosure of data from the Democratic Party, campaign officials and current and former US national leaders is vivid and tangible. Everyone can understand "if it can happen to them, it can happen to me." In this environment, data privacy and security issues may be manipulated, and related violations penalized, based on economic or political motivations.
2. US and EU approaches to data privacy have differed, but are converging
While there is no express general right to privacy in the US Constitution, several of its provisions (in particular, in the Bill of Rights) protect specific aspects of an individual's privacy,i and the Fourteenth Amendment is often interpreted (despite some prominent opponents ii) as guaranteeing a fairly broad right to privacy; spawning several seminal Supreme Court cases.iii In addition, many US states recognize related torts, such as for invasion of privacy and protection of rights of publicity. In Europe, privacy has a long tradition as a fundamental human right. It is enshrined in the European Union's Charter of Fundamental Rights, which is enforced by a dedicated Court of Human Rights and is the cornerstone for a plethora of related privacy law, regulation and cases.
However, historically, the approach taken by each jurisdiction to the privacy of data about individuals has differed. The data privacy regime in the European Union ("EU") reflects the "fundamental human right" approach and generally expects "privacy by default." In contrast, the US has tended to focus instead on the constitutional right to free speech, transparency and the people's "right to know." In the EU, any encroachment on overarching, universally applicable rights to privacy of an individual's data requires a specific justification, rationale or "lawful basis." In the US, by contrast, any assertion of an inherent right to data privacy generally requires specific law-making or expanded interpretations of existing law (whether by legislatures, regulators or courts) to "create" a right that does not otherwise exist. The EU has an omnibus data privacy regime, applicable in all industries and to all businesses,iv while the US has a patchwork of laws and precedents in specific areas such as health care, higher education and financial services.v When it comes to the consent of an individual to the collection of data about them, the US takes more of a libertarian view, so individuals are largely considered freely able to give consent to any use of their data by any means and in any circumstances, while in the EU, an individual's consent can be challenging to establish and rely upon in certain circumstances (perhaps most notably within the employer-employee contextvi).
When it comes to international business and relations, particularly across the Atlantic, these differences in approach and legal regime create tension. EU citizens and other stakeholders bemoan a lack of respect for EU data privacy laws by US businesses and government. EU courts have declared that the US does not provide "adequate protection" of personal datavii and in response have stretched territorial concepts to the limit in an effort to make global businesses headquartered outside the EU subject to EU data privacy laws.viii EU regulators have "upped the ante" by introducing new regulations with maximum fines based on a percentage of a business's worldwide revenues.ix Meanwhile, US businesses, which at home (outside certain sectors) have generally been free to use and monetize personal data as they see fit, unless there is a contract or law that specifically prevents them from doing so, have been frustrated by the EU legal regime and have been deterred from doing business in Europe. This is because the EU legal regime appears to many US businesses as introducing draconian and often entirely new compliance obligations. From a US perspective, the European approach jeopardizes profits and even existing business models, appears in a constant state of flux, and calls into question or invalidates entirely compliance mechanisms that were once considered adequate.x
Notably, the legal (and political) balance has appeared at times to be shifting to the European approach to data privacy. In order to facilitate transatlantic data transfers, the US government recently made significant concessions on issues like the surveillance and rights of EU citizens to litigate data privacy complaints in US courts.xi In addition, while there is currently no EU-style omnibus data protection law, there have been several moves to introduce one.
3. New privacy protection measures are rising in the US
The "holes" in the US patchwork grow smaller every day, with the regular introduction of new state and federal data privacy laws governing different issues, not to mention the FTC's increasingly active role in enforcing consumer data privacy and cybersecurity rights, under the general umbrella of "unfair or deceptive" trade practices. There have also been several recent examples of a policy shift by big business in the US towards "privacy-first" principles as a compelling consumer offering, even in the face of demands for cross-border disclosurexii and calls for decryption of consumer data in extremely dramatic scenarios. Finally, the plaintiffs' class action bar has shown a growing interest in damages cases for hacking and negligence on the part of hacked businesses.xiv
Government enforcement of law and policies is often the front line. However, there is a more serious enforcement mechanism at hand.xv The US pioneered the use of private litigation for the enforcement of public policy. Beginning over a hundred years ago with antitrust enforcement, followed by securities fraud, organized crime,xvi corporate corruption,xvii and, most recently, terror financing, the private right of action has been a mainstay of US policy and jurisprudence. It is the substantive and economic basis of a large part of the US legal profession. While its use in the data privacy context has been limited so far, and many cases get dismissed for lack of common injury or harm, there has been much discussion about this situation, and it is likely only a matter of time before there are new laws to address the issue.xviii New legislation, together with existing laws and case precedent, dramatically increases the pool of potential litigants and offers them ever more fertile opportunities to sue for data privacy incursions and violations, whether because of external hacking or internal mishandling (whether intentional, reckless or negligent). Government and private litigation often cooperate in pursuing enforcement targets, where the governmental parties seek criminal or civil penalties and the private plaintiffs seek money damages. This powerful combination can pose extreme, possibly existential risk for business defendants. And this is the likely future for privacy enforcement.
There are many possible scenarios of business risk in the constantly evolving landscape of data privacy rights, cyber threat capabilities, and regional economic and political interests. As a result, implementing a robust data privacy regime requires more than solid data management and security practices. A company's global market strategy increasingly must anticipate how data collection, use, and transfer restrictions are likely to change over time, and data privacy and security programs must be designed to respond to those changes faster than the competition.
i E.g., Privacy of beliefs (1st Amendment), privacy of person and possessions against unreasonable searches (4th Amendment), privilege against self-incrimination, i.e., privacy of certain personal information (5th Amendment).
ii E.g., Judge Robert Bork.
iii E.g., Meyer v. Nebraska, 262 U.S. 390 (1923), Pierce, Governor of Oregon, et al. v. Society of the Sisters of the Holy Names of Jesus and Mary, 268 U.S. 510 (1925), Griswold v. Connecticut, 381 U.S. 479 (1965), Roe v. Wade, 410 U.S. 113 (1973).
iv See Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive), and related EU legislation including Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications), Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. See also Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), which, as well as repealing the Data Protection Directive, amends the Directive on Privacy and Electronic Communications.
v See, e.g., Health Insurance Portability and Accountability Act ("HIPAA"), 42 U.S.C. § 300gg, 29 U.S.C § 1181 et seq. & 42 USC § 1320d et seq.(1996); Health Information Technology for Economic and Clinical Health ("HITECH") Act, 42 U.S.C. § 300jj et seq. & § 17901 et seq. (2009); The Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. § 1232 (1974); Gramm-Leach-Bliley Act ("GLBA"), 15 U.S.C. § 6801 et seq.(1999); Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq. (1970).
vi It is generally understood that an employer in the EU may be unable to obtain genuine consent from employees to process their personal data, on the ground that those employees might not, realistically, be able to refuse to consent (leaving such employers to pursue other options for legitimizing the processing of employee personal data). See, e.g., the fifteen year-old Article 29 Data Protection Working Party Opinion 8/2001 on the processing of personal data in the employment context ("If it is not possible for the worker to refuse it is not consent" and "where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data it is misleading if it seeks to legitimise this processing through consent".)
vii Case C-362/14 Maximillian Schrems v. Data Protection Commissioner.
viii Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, 2014 E.C.R. 317; Case C‑230/14, Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, 2015.
ix General Data Protection Regulation, supra note iv, Article 79.
x See, e.g., "European Court of Justice Invalidates EU-US 'Safe Harbor' Pact," (Oct. 14, 2015); New Threats to Transatlantic Data Flows as Model Clauses Come Under Fire (June 9, 2016); EU-U.S. Privacy Shield Challenged, (Nov. 2, 2016).
xi Judicial Redress Act of 2015, H.R. 1428, 114th Congress (2015-2016) (enacted). And see ANNEX A: EU-U.S. Privacy Shield Ombudsperson Mechanism, and, regarding Privacy Shield more generally, EU-U.S. Privacy Shield approved,(Jul. 12, 2016).
xii See, e.g., Microsoft Corporation v. United States of America, No. 14-2985 (2d Cir. 2016).
xiii See, e.g., Matt Zapotosky, "FBI Has Accessed San Bernardino Shooter's Phone Without Apple's Help," (March 28, 2016), Contrast with this example of the approach taken by a foreign government, with China moving to require technology suppliers to disclose their proprietary source code, to prove their products cannot be compromised by hackers.
xiv See, e.g., Dominic Patten, "Sony Hack Class Action Settlement Gets Final Approval," (April 6, 2016, 10:36 AM), ("the total price tag to Sony [from litigation arising out of a Nov. 24, 2014 data breach] is around $15 million, with a max of $10,000 per individual plus around $1,000-$3,000 to the group of initial plaintiffs"); Charles Riley & Jose Pagliery, "Target Will Pay Hack Victims $10 Million," (March 19, 2015: 3:05 PM ET), ("Target will pay customers who suffered from a 2013 data breach up to $10,000 each in damages.")
xv E.g., the Financial Crimes Enforcement Network, a bureau of the US Department of the Treasury, is empowered to enforce domestic laws prohibiting money laundering, terrorist financing, and other financial crimes. A federal district court in Minnesota also recently held that the Bank Secrecy Act (BSA) permits FinCEN to bring suit against individuals for willfully violating the BSA's anti-money laundering requirement, see, U.S. Dep't of Treasury v. Haider, No. 15-CV-01518, 2016 WL 107940 (D. Minn. Dec. 18, 2014).
xvi Racketeer Influenced and Corrupt Organizations Act ("RICO"), 18 U.S.C. §§ 1961–68 (1970).
xvii E.g., False Claims Act, 31 U.S.C. §§ 3729–33 (amended 2009); Foreign Corrupt Practices Act ("FCPA"), 15 U.S.C. § 78dd-1 et seq. (1977).
xviii Justice Against Sponsors of Terrorism Act ("JASTA"), Pub.L. 114–222, 114th Congress (2015–2016) (enacted); Judicial Redress Act, supra note xi.
Alan Gover, a Retired Partner of White & Case also assisted in the development of this publication.