What Will the Future Be Like under the General Data Protection Regulation?

By TAP Guest Blogger

Posted on March 23, 2016


Contracts, Consent, and Privacy: What Will the Future Be Like under the General Data Protection Regulation?


This report is from the “5th Annual BCLT Privacy Law Forum: Silicon Valley.” The event took place on March 11, 2016; and was hosted by the Berkeley Center for Law & Technology and UC Berkeley School of Law.


This panel summary is written by Kalpana Sundaram.


Panelists at the 5th Annual BCLT Privacy Law Forum: Silicon Valley analyzed the role of consent in privacy protection and took a close look at the soon-to-be-approved General Data Protection Regulation (GDPR) of the EU.


Professor Paul M. Schwartz began the discussion by highlighting the differences between European and American privacy law. In Europe, there have long been strenuous efforts to protect consumers, and privacy is considered a human right. Both the Data Protection Directive (1995) and the GDPR are skeptical of consent in the privacy context. European law limits the scope of privacy interests that are alienable through contracts. Consistent with this approach, Article 7 of the GDPR emphasizes that consent must be presented in clear and plain language, and withdrawal of consent is allowed at any time. At the same time, while there is well-developed law in Europe defining privacy harms, enforcement mechanisms have been weak, although this may change under GDPR.


In contrast, in the United States, in the absence of an omnibus privacy statute, when Congress enacts privacy laws, it generally sets a minimum of safeguards and allows the states space for further action to adopt stricter protections. As a result of actions by the Federal Trade Commission and the requirement for posted privacy policies established by the California Online Privacy Protection Act (CalOPPA), there is a lot of pressure on organizations that collect personally identifiable information (PII) to specify how they use the data. However, American courts have yet to agree on a theory for privacy harm, which is especially problematic in cases involving data security breaches. In contrast to Europe, however, privacy enforcement is very strong in the United States, and Federal Trade Commission fines are the highest in the world. It is also accepted in the United States that companies depend on the PII of consumers, and consumers have very little individual bargaining power over the use of their information, a situation that has been called “surveillance capitalism.”


With this background, panelists turned to the GDPR. Dr. Anna Zeiter, Head of Data Protection at eBay, Inc, examined the one-stop-rule in Article 51 of the GDPR. Dr. Zeiter acknowledged that many European companies were initially excited by the idea of a single set of European rules providing a uniform, consistent, and expeditious process. However, the Court of Justice of the European Union (CJEU) dramatically weakened the initial concept of one-stop-shop in the case of Weltimmo v. Nemzeti Adatvédelmi és Információszabadság Hatóság. As a result, even under the GDPR, compliance burdens will be high for businesses, and businesses might have to wait longer for decisions while still being subject to multiple national data protection acts. Dr. Zeiter pointed out that the GDPR sets very short deadlines for Data Protection Authorities to respond to compliance requests, which will require them to hire additional personnel and to create and implement more efficient processes.


Turning to Article 17 of the GDPR, James Koenig, attorney at Paul Hastings LLP, explained that the right to be forgotten (RTBF) presents a clash between the right to privacy versus the right to free speech. Also, implementation of RTBF through Article 17 will pose practical difficulties, Koenig said, since social media companies and search engine companies will be treated as data controllers, even though the original data was not sourced from them. It is unclear how these companies can feasibly disassociate links and original sources of information. Koenig pointed out two unintended consequences of the right to be forgotten. First, companies will invest in stronger mechanisms to improve data workflows and quality. As a result, data streams will become much more precise and targeted marketing to users will increase dramatically. Second, when users try to exercise their right to be forgotten, they may ironically increase their own notoriety by drawing attention to the information they wish to conceal.


Professor Dr. Karl-Nikolaus Peifer discussed jurisdiction as defined in Article 3 of the GDPR. Dr. Peifer highlighted the importance of Google Spain SL v. Agencia Española de Protección de Datos, the right to be forgotten case, which expanded jurisdictional enforcement to non-European companies. The 2014 case involved a subsidiary of Google located in Spain, where the jurisdiction of the Spanish courts over Google’s U.S. parent was not clearly established. In its ruling, the CJEU stated that EU data protection rules are applicable regardless of the location of the company processing the data, so long as the company has a subsidiary or a branch in Europe. Accordingly, EU data protection rules are not only applicable to the search engine’s EU subsidiaries, but also to its sites located outside the EU.


Dr. Peifer also emphasized the importance of Weltimmo v. Nemzeti Adatvédelmi és Információszabadság Hatóság. In Weltimmo, the CJEU issued a decision on the question of whether national data protection law should be applicable within the European Union if the operator of a website offers cross-border services in the EU market. The decision softens the country of origin principle, which states that the national data protection law of that country in which the data controller is located applies. In particular, the court set out a three pronged test: (1) Is there an exercise of real and effective activity – even a minimal one? (2) Is the activity through stable arrangements? (3) Is personal data processed in the context of the activity? As a result of Weltimmo, businesses now must monitor where they are targeting the citizens of other Member States even if there is only a minimal presence.


Finally, Kurt Wimmer from Covington discussed Article 79 of the GDPR, which establishes the potential for very high fines, which will impact the way companies interact with regulators. Article 79 creates a two-tiered structure for fines, with varying maximum fines stipulated for different transgressions. First, violations of the obligations of controllers would carry a maximum penalty of 10,000,000 EUR or 2 percent of global revenue, whichever is larger. Second, violations of the rights of data subjects would carry a maximum penalty of 20,000,000 EUR or 4 percent of global revenue. Wimmer emphasized that there have never been uniform fines in the EU before, and the GDPR still requires that fines be proportionate to the improper behavior. Thus, there is a risk that many regulators will deal with the same behavior in different ways. Wimmer also pointed out that under the GDPR, every regulator in Europe could fine a company, not just the Data Protection Authority that regulates the place of establishment or main headquarters.


All in all, despite the GDPR – or possibly because of it – large challenges loom for companies doing business in Europe, and the future of trans-Atlantic data flows holds further controversy.



This conference summary was written by Kalpana Sundaram, JD, UC Hastings.


Read more from the 5th Annual BCLT Privacy Law Forum: Silicon Valley: