Throughout history, people have waged sectarian fights to protect their beliefs. The Europeans, sitting at a crossroads of two major religions charged with converting the unenlightened, have a particularly combative past.
The belief that privacy is a fundamental human right is currently held as an essential tenet for managing European society. The privacy right is written into the European Union (EU) Charter. This belief is held so deeply among European privacy regulators, presented in such moral and ethical language, and protected with such vehemence against opposing views and practices, that it seems to have become an item of pure faith. The “right to privacy” as defined by regulators has become a semi-religious European principal for maintaining a civilized society.
In the internet age, the EU has built its laws to restrict collection of data about its residents and to restrict company use of such information without specific resident permission for each action taken. The EU asserts that its citizens share faith in emphasizing privacy protection over economic creativity. According to a 2017 poll of 27,000 EU residents taken by the European Commission, 70 percent of the respondents are not willing to sacrifice online privacy in exchange for improved services. EU Commissioner Vera Jourova has said that she believes Americans “should be more attentive about what is happening to their privacy” and that “[w]e [EU legislators] want to set the global standard.” To bolster the weapons of their war against anyone who threatens their beliefs about online privacy, the EU passed the General Data Protection Regulation (GDPR) applicable as of May 25, 2018, which tightens privacy rules, adds new rights for its residents, and provides a series of new enforcement tools.
EU privacy regulators have spoken plainly about where they would aim the weapons provided in the GDPR. European parliamentarian Viviane Reding, who initiated the GDPR in 2012, told the New Yorker that she did so because “the big companies, like the American [Google, Amazon, Facebook, and Apple] . . . just ignored the old law.” She then said that under the new regime, penalties for impeding the EU’s privacy priorities would be harsh enough to keep the American tech companies in line. As expected, these American companies were attacked with GDPR lawsuits by European privacy organizations within minutes of the law coming into force. This new religious war over online privacy will force many U.S. companies to depart from data practices and revenue models that have always been legal in the United States.
To examine the unilateral extraterritorial effects of the GDPR, it is necessary to separate the essential function of the law—protecting EU resident privacy—from the new rules instituted to expand execution of the law. Many companies headquartered in the EU and elsewhere may completely agree with the personal data protections at the core of the GDPR; however, thousands of U.S. companies have grown internet-based business models over the past 25 years without the regulatory restrictions necessary to meet GDPR’s obligations, and those companies may lose their core revenue generation by acceding to the new EU requirements. So without addressing the wisdom of the EU’s privacy priorities and regulatory regime in contrast to those of the United States, this article examines new GDPR enforcement mechanisms apparently directed at bringing to heel companies headquartered and primarily operating outside of the EU.
In other words, this article is not addressing what privacy rights should exist, whether the EU or U.S. views of privacy are ethical or correct, or any other matter relevant to how people should be protected online or how data-collecting entities should comport themselves. Instead, the following paragraphs analyze the EU attempts to enforce their privacy laws on U.S. companies and the often unprecedented tools created to effectuate extraterritorial enforcement. The EU beliefs are not questioned, only their manner of imposing the practice of those beliefs on others who may not hold them in an effort to manage the data of EU residents wherever it resides.
BOLSTERING THE BRUSSELS EFFECT
With 500 million mostly well-off people, the EU has been able to force world economies to comply with its rules in order to do business there. Pushing that economic weight around to change the behavior of citizens in other jurisdictions has been called the “Brussels Effect.” The United States also uses its economic power to affect the behavior of importers, but U.S. laws tend toward low regulation and confirmation of accepted international norms. The EU, on the other hand, not only pushes its priorities on foreign companies, but also sharply regulates behavior in many areas, from anti-trust to chemicals to food safety. As Alan Beattie wrote in the Financial Times, “The U.S. complains bitterly that the EU’s approach leads to products such as beef raised with growth hormones, or poultry washed in chlorinated water, being banned from sale in Europe.” Exporters from less industrialized countries find it even more difficult to meet the EU requirements.
Many of the EU regulatory positions can be surprising to U.S. citizens because they reflect the ways in which European society and priorities differ from those in the United States. For example, Europeans tend to be more concerned than others about chemicals or new treatments for food, while allowing less pasteurization than U.S. states for milk products. More relevant to this article, Europeans tend to be more willing to police business models and behavior with proscriptive rules on environmental, consumer, and employment issues. In an article on the Brussels Effect in the Northwestern Law Review, Columbia Law School professor Anu Bradford wrote, “EU policymakers’ preference for stringent regulation reflects their aversion to risk and commitment to a social market economy. European consumers rank environment and food safety higher than crime and terrorism when asked to evaluate various risks, leading to distinctly high levels of consumer and environmental protection.”
The EU often portrays its aggressive personally protective regulatory stance as “normatively desirable” policy enlightening the rest of the world. For example, the EU Commission issued a statement in 2007 that directly stated the unilateralist ethical goals of its regulatory scheme, which “gives the EU the potential to shape global norms and to ensure that fair rules are applied to worldwide trade and investment. The single market of the future should be the launch pad of an ambitious global agenda.” The EU leadership believes it knows best how other countries and their businesses should behave, and the EU works to set the standard for less-enlightened countries like the United States. As Professor Bradford wrote, “In describing its global role, the EU legitimizes its strategies by claiming that its values and policies are normatively desirable and universally applicable. Seen in this light, the EU’s externalization of its regulatory preferences reflects altruistic purposes of a benign hegemon. . . . By emphasizing the universal benefits of its global regulatory agenda, the EU often succeeds in obscuring the de facto unilateralism that drives its implementation.”
However, where the EU sees benevolent moral leadership, others see raw economic protectionism. In the February 22, 2018 edition of The Daily Telegraph, Legatum Institute Special Trade Association Chairman Shankar Sindham wrote, “The drive toward ever-greater regulatory prescription means that the European Union is acting in a protectionist manner.” The Czech president Vaclav Klaus recognized this in his 1997 book Renaissance: The Rebirth of Liberty in the Heart of Europe in which he wrote, “claims for quasi-universal social rights are disguised attempts to protect high-cost producers in highly regulated countries, with unsustainable welfare standards, against cheaper labor in less productive countries.” Admitting the effect and the motivation, in 2011 the EU Commission wrote in a public communication to the European Parliament, “. . . the creation of the European standard [shall] be carried out rapidly with the aim of asserting it as an international standard. This would maximize first mover advantage and increase the competitiveness of European industry.” It is not surprising that the EU Commission would recognize that shackling costly regulations to the businesses of Asia, Africa, and North and South America would be a boon to the competitiveness of European industry that must follow these regulations at home.
Whatever the motivations, the Brussels Effect is a real influence on foreign companies and the foreign governments that support them. Although food, chemicals, and environmental protectionism have been the regulatory beachheads of the recent past, data privacy has been brewing for decades as a battle in waiting, and Europe is now taking its crusade to the rest of the world.
PRIVACY AND HUMAN RIGHTS
Both the EU and United States enforce rules to protect the privacy of their residents. The United States protects its residents’ financial, health, and children’s information, and it otherwise allows regulators to penalize companies for committing unfair or deceptive data practices. This targeted system enables business to build new models of data management that will generally be legally challenged only if a consumer or employee is hurt by the activity.
The EU regulation begins from a different set of assumptions. Under the EU regime, a resident, or “data subject,” has a fundamental right to determine how certain information relating to the data subject is collected and used by others. The 1995 EU Data Privacy Directive held that information systems “must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy.” The GDPR, which replaced this directive, contains similar language. So if an EU resident hands information to a social network, runs an internet search, or buys a pair of shoes online, the companies handling his or her data may only use the information for the purpose it was provided and nothing more without permission of the data subject. Overarching regulations make data-collecting entities prove that they are complying with this rule or suffer crippling penalties.
The EU has now increased efforts to force U.S. companies to treat information in the manner prescribed by EU regulations, even where some of these regulations might violate the U.S. Constitution. Passage of the new GDPR deepens the European effort to hold U.S. business to otherwise inapplicable EU standards of data management.
The GDPR tightens some requirements to protect the data of individuals, it adds new personal protections like the right to data portability, and it creates enforcement mechanisms to encourage compliance. Some of these enforcement mechanisms extend the reach of National Data Protection Authorities to companies residing outside the EU.
PRIVACY PROTECTION AS A MORAL IMPERATIVE
To analyze the GDPR’s enforcement regime, we must first examine why the EU feels justified in acting unilaterally in forcing non-EU companies to follow internal European rules. Some of this reasoning is purely practical. We live in a world where a digitized unit of information can flow to thousands of computers in hundreds of jurisdictions simultaneously and be copied an effectively infinite number of times. So when protecting the private data of its residents, it may be rational for a parliament to try to extend those protections beyond its borders to wherever the private resident data resides, or at least try to burden the companies removing the data with obligations consistent with local laws. Otherwise, data escapes the jurisdiction instantly and is beyond the reach of EU regulators.
As shown above, however, some of the justification is moral. The EU data protection board has written that due to the weakening in the United States of legal restraints on privacy in digital markets, “that the EU should lead the conversation on the ethical consequences of the digital transformation.” Vera Jourova, the EU Commissioner in charge of privacy, has described the GDPR as a “loaded gun” for regulators and said, “If we can export this to the rest of the world, I will be happy.” She has also said that she found U.S. data protections to be weak, that the EU Commissioners would like to see U.S. privacy law move closer to EU law, and that “I am not satisfied but we will have to live with the legislation as it is now in the U.S.” The EU regulators see their new law as a morally protective law that should be exported to the rest of the world. From the first days of the EU, privacy was listed as one of the fundamental human rights.
Casting a fuzzy, complicated, and circumstance-dependent concept like data privacy as a fundamental human right is an inherently combative position. Fundamental human rights are essential to a civilized and moral existence, so a society that refuses to recognize such a right is, by definition, immoral. As editors of the Economist wrote August 16, 2001, “In the eyes of governments today, certain human rights in the civil and political realm have attained the status of moral absolutes. Abusers of these rights face sanctions and censure, even if their actions are mandated by the democratic processes of a sovereign state.” If privacy is a fundamental right for the EU, then the EU can justify as a moral imperative sanctioning anyone who violates the EU’s interpretation of that right. A specific flavor of personal privacy protection has become a religion to EU regulators, and they intend to spread the religion to the rest of us, whether we want it or not.
TOOLS OF THE HOLY WAR
The GDPR and previous EU privacy law contains several novel tools for forcing countries and companies outside the EU’s direct jurisdiction to comply with the EU’s privacy rules. In this crusade to force submission to EU priorities, Europe has implemented old strategies and tried entirely new ones. It remains to be seen how effective any or all of these weapons will be, but the international order has just been introduced to a new era of European ethics-based aggression through extraterritorial regulation.
Distinguishing between believers and nonbelievers is a core feature of most modern religions. Just as religions divide the population into categories of the saved and the damned, the faithful and the infidel, and the chosen and the heathen, Europe has divided the nations of the world into the chosen few who have accepted EU privacy regulations into their hearts (and laws), and the great unwashed many who are not allowed to receive EU resident data without special dispensation. Couched in terms that assume a country’s failure to measure up an appropriate standard, rather than the usual regulatory language of compliance versus noncompliance, the EU judges whether other nations’ laws are “adequate” to store the data of Europeans.
The EU’s first step in establishing its moral authority in the privacy realm is the notion of “adequacy standards.” This tool for imposing the EU’s entire privacy regime on other countries has been in place prior to passage of the GDPR. EU rules provide that nations must have adequate data protection that comes close enough to the EU ethical standards so that personal information arising from the EU can be transferred to those jurisdictions. As reported in the Financial Times on May 13, 2018, the EU “is exporting digital governance not through reciprocal deals but unilaterally bestowing ‘adequacy’ recognition on trading partners before allowing them to transfer data.” Canada, Argentina, and the Faroe Islands are morally adequate. Most of the rest of us are not. Under this scheme, the EU holds out the promise of economic cooperation with any country that comes on bended knee to establish data adequacy. For “inadequate” countries, EU rules forbid transfer of private data of EU residents to these jurisdictions unless their businesses jump through additional hoops, mostly prescribed in EU regulations. Bend to Brussels on this human right, or your companies suffer extra costs, regulatory burdens, and likely fines.
Required EU Representation
In Britain during past centuries, people employed the services of a sin eater to absorb the sins of relatives who died without confession, thus keeping the soul of the dead from walking the earth. By eating a ritual meal, often off of the chest of the deceased, the sin eater allowed a family to more peaceably bury their recently lost relative, but the cost to the sin eater was great. He was not only an outcast, but he bore the cumulative burden of all of the sins from all of the dead people for whom he performed the ceremony, and he carried that burden into the afterlife.
Similarly, the EU has created a new role—a person paid exclusively to accept and receive the regulatory or legal burden for the data privacy sins of foreign companies—an official role hardly enforced before the implementation of GDPR. Article 27 of the GDPR requires foreign entities that are caught by the extra-territorial provisions of the GDPR to appoint a representative in one of the EU member states where its data subjects reside. The National Data Protection Authorities and aggrieved EU data subjects are given the right to fine or sue this representative either alongside or instead of the foreign entity that improperly handled EU data. Thus, like the sin eater, this representative is appointed to pay for the sins of his customer. Many jurisdictions require companies to name a local representative to receive official correspondence, but this is the first modern civil statute to require a local punching bag.
It is assumed that any entity accepting this GDPR sin eater role will be able to receive indemnification for the official penalties from the foreign entity that actually committed the penalized offense, but there are obviously no guaranties. The offending foreign entity may escape collection actions in any number of ways, and the law assumes that the GDPR sin eater will be able to afford to attempt collection after paying its fines. The EU governing bodies do not seem to care about leaving the GDPR sin eater with the entire burden of regulatory action so long as the bureaucrats and/or data subjects are paid. This system seems rife with problems and inconsistencies, such as how to assure that the representative cannot simply close its doors without paying anything.
Data Protection Officers
In 1541, John Calvin returned to Geneva, managed to pass a set of ecclesiastical ordinances, and ruled the city with both an iron hand and a severe theology. His government proscribed all forms of celebration, frivolity, dancing, card games, and theater, and it outlawed anything but the plainest dress. “Libertines” who opposed this regime were tortured and excommunicated. In order to catch those Geneva citizens opposed to the new religious laws, Calvin sent preachers into people’s homes to both teach them in the ways of his harsh new religion and to interrogate the citizens. He sent spies to all corners of the city. Every parish had its own assigned moles and infiltrators.
In the present day, the EU privacy rules create its own new specialized role of teacher, inquisitor, and mole. Many entities subject to the GDPR must appoint a data protection officer (DPO) who reports to the entity’s highest ranking officer, but whose loyalties are expected to be given to the EU data protection bureaucracy. The statutorily defined roles of the DPO include advising his or her company of its GDPR obligations, monitoring and auditing compliance with GDPR rules, cooperating with GDPR regulators, and “acting as the contact point for the supervisory authority” with regard to any matter. Entities under the GDPR are required to grant the EU regulators an internal spy to teach the new religion, interrogate colleagues, and identify internal infidelity and apostasy as contact person for the authorities. One more thing. This mole cannot be fired for any reason that might be interpreted as “performing his or her tasks.” So not only does the EU require that a company hire and pay a person who is, by definition, not entirely loyal to the company, but the company cannot punish or terminate that person for disloyalty to the company.
Presumably the DPO will be expected to report on the adequacy of his or her own company’s expenditure of money on GDPR compliance, making judgments about whether the company is spending enough to satisfy EU privacy regulators. It is also likely that the DPO will be called upon to testify against the company at regulatory hearings and court proceedings, and cannot be terminated for doing so even if the employing company does not agree with the facts of the testimony. It will be easiest for the DPO to hue to the most conservative construction of a wildly vague and unmanageable law, potentially costing the DPO’s company vast resources in strictest compliance. The DPO removes a company’s flexibility in interpreting the law and how to conform with it.
Favoring EU Residents in Enforcement Cases
Saint Augustine of Hippo, writing in the 4th and 5th centuries, illuminated the Christian doctrine of original sin, which posits that every human is born sinful. The concept of original sin was formalized as part of Roman Catholic doctrine by the Councils of Trent in the 16th century. Original sin is not simply an inherited spiritual defect in human nature. It is also the “condemnation” that goes with that fault. Under this doctrine, all humans should be automatically considered to be sinners and therefore condemned for their sins without need to prove that the sins occurred.
The EU has initiated a similar concept, stacking the deck against any company that loses EU resident data and leaning heavily toward condemnation of the accused. In audits, GDPR adds the “accountability principle,” according to which every data controller is obliged to prove its fulfilment of all the legal requirements based on internal paperwork. The company is assumed to be in violation of the law unless it can prove otherwise. The EU, like some religions, judges a company guilty unless proven completely innocent.
This direction is especially troublesome in the instance of data loss through hacking. There is no such thing as absolute security. Any system can be hacked or broken with enough time, resources, and cleverness. A clear example is the theft of $100,000,000 of gold, diamonds, and jewelry from the Antwerp Diamond Exchange in February 2003. Despite tens of millions spent by the exchange on a private full-time security force and all of the latest protective measures, thieves were still able to break into the vaults deep underground and steal diamonds. The same is true for stealing data. Insiders or brilliant hackers can break into any company’s system and can access the information inside even if the target company has done everything possible to protect the information.
The European Union refuses to acknowledge this basic fact about our world, building audit assumptions into its law that any victim of data hacking is automatically responsible for its own victimization. The GDPR view of litigation is not much better. Previous cases have shown that every company holding an EU resident’s private data assumes an automatic obligation to protect that data. If a regulator or claimant then makes a showing that the data was exposed under the company’s control, the company is presumed liable unless the company can prove “that it is not in any way responsible for the event giving rise” to the data exposure. How would a company prove that it is not in any way responsible for a theft? That is one of the many holes left to speculation by the EU privacy authorities.
How could a U.S. company fall afoul of this new favoritism to EU data subjects? Any little mistake in data protection or any action taken to comply with the GDPR that EU regulators felt did not go quite far enough could sink a company into fines and EU resident compensation. For example, the GDPR requires that a company store data for a “strict minimum” period of time. If a company’s definition of “strict minimum” in this circumstance is less stringent than the EU regulators, then the company doesn’t meet its burden of showing it was “in no way responsible” for the breach. The EU enforcement bureaucracy would argue that if the data were purged earlier, then it would not have been improperly accessed. In short, the new subjective standard combined with vague requirements likely means that a company suffering a data hack is fiscally responsible for any data exposures regardless of how strong its data protections might be.
In addition, the GDPR assigns liability to both data controllers and data processors, so we should expect to see hacking attacks on data processors that result in damages against the processor for failing to stop the hackers, and against the controller for failing to hire a processor with impossibly perfect security. Both companies will have a difficult time overriding the presumption that they are each responsible for losses of data, so both are likely to be forced to pay regulators and data subjects whenever data is lost.
Religion is a salve for the soul, providing answers and comfort in the hardest of times. The EU has decided that its residents with privacy claims should also receive a salve for their emotional turmoil and has built this plan into the GDPR. Thus, the companies found liable under the scheme described above will be paying cash compensation for embarrassment, emotional distress, practical frustration, and hurt feelings of data subjects.
Under Article 82 of the GDPR, any person who has suffered material or nonmaterial damage as a result of an infringement of the GDPR has the right to receive compensation from the data controller or processor ruled responsible for the damage suffered. The individual is entitled to bring a compensation claim in the courts. Throughout the world, lawsuits against companies that lost data to hackers have generally either been settled by the parties or dismissed. One of the primary reasons for the many dismissals has been the inability of plaintiffs to prove damages. The plaintiffs can often show that data describing them held by defendant entities was lost to thieves, but cannot demonstrate or account for significant or quantifiable damages arising from these losses. The new EU position will change this dynamic so that any person who can successfully claim that his or her data was lost receives the benefit of the doubt that he or she was harmed in some way by the loss. The claimant will not need to quantify the losses to collect from a company not meeting EU standards.
We have not yet seen exactly how this benefit plays out, but it is reasonable to believe that little more than hurt feelings and extra time spent calling banks will be enough for a payout from the controller and/or processor. A common nonquantifiable request by plaintiffs in U.S. cases has been based on fear of identity theft. It is anticipated that such nebulous fears will be compensable under the GPDR. So not only will U.S. companies be targeted in Europe under the new law, but the entire deck is stacked against them. Standard tort law around the world is based on a plaintiff proving that the defendant had an obligation to protect the plaintiff, that the defendant behaved in a manner that makes it liable to the plaintiff, and that the plaintiff has demonstrable damages arising from this behavior. In EU agencies set up for the sole purpose of protecting the rights of data subjects, the obligation of data-possessing companies is assumed to exist, and the playing field is further tipped against data-possessing companies on both liability and damages by the GDPR. It is difficult to see how a company that lost data in a computer hack could win in an action based on the GDPR no matter what the circumstances.
Given this practical near impossibility of emerging unscathed from an award of damages under GDPR, it will be surprising if any insurance companies will be willing in the future to provide broad cyber coverage to U.S. companies doing business in Europe. Of course, it is possible that the insurance industry will simply begin to write exclusions for the inevitable EU lawsuits and regulatory actions, as well as the penalties and damages likely to follow, with brutally expensive premiums to pull EU risks back under the policy. The risks for business have drastically changed, and insurance calculations will soon follow.
Religions often propose impossibly terrifying punishments for those people who do not live according to their tenets—banishment, stoning, eternal damnation, and constant regressive recycling of lives to name a few. The terrors are necessary to keep the faithful in line and to mete out karma to those who deserve it. Some of the worst punishments imaginable have been invented or perfected in the name of religion.
The GDPR, in an admitted attempt to rein in the U.S. data giants like Google and Facebook, has structured an absurdly high set of punishments for companies that it weighs in the balance and finds wanting. Fines against noncompliant companies can be the greater of € 20 million or 4 percent of the company’s global gross annual revenue, which could be as high as $2.8 billion in the case of Facebook or $3.5 billion for Google. This degree of damaging punishment is much greater than the EU has previously charged criminal enterprises committing massive fraud on the public. Prior to 2018, the EU record for criminal fines on antitrust price collusion was $3.2 billion split up against at least five truck manufacturers, which doubled the previous highest antitrust fine. Counting the most recent monster $5.1 billion anti-trust ruling, the EU’s two biggest fines ever were waged against Google and its parent, Alphabet, and the EU seems to be gearing up for more crippling penalties against U.S. technology companies.
Why would the EU penalties for operating a database business—a business legal under nearly all other laws in the world including those in the United States—be several times higher than previous penalties for nontechnology businesses intentionally violating EU rules and even for blatantly lying to regulators? Often logic is cast aside in a religious war in favor of harshly punishing those who may not agree with the fighter’s strongly held beliefs. The EU could be taking these extreme positions to create room for its own industry in the most profitable technological realms of the 21st century; however, the extreme punishments of data holding companies, combined with a system that strips presumptions of fairness in the process leading to punishment, may simply be a European power play to bring the rest of the world in line with EU beliefs on privacy.
The unprecedented set of enforcement tools described above enable the EU to attack extraterritorially and punish U.S. businesses for violating the GDPR. This regime is apparently driven more by emotion and faith than logic or respect for the traditional international order, and will create chaos and wildly unfair results for U.S. companies. American business must understand the rules and their impact to decide whether offering data services in Europe, in the midst of a holy war against U.S. data policies, is worth the risk.
*originally published in Business Law Today.