End-of-2013 Privacy News: Confusion in Europe, California Forges Ahead

As 2013 ended, the big news in privacy law was being made in the European Union and the California state legislature—as it has for the last twenty years. But whereas Europe is enveloped in confusion and uncertainty, California continues to forge ahead with new protections and requirements for businesses.

2012 saw the announcement of a proposed EU Data Privacy Regulation. It would continue current trends in EU privacy law, but with some significant new burdens. The new regulation would expand coverage to foreign companies “offering goods or services” to people in EU or “monitoring their behavior,” provide for private lawsuits and large fines against violators, make it harder for companies collecting data to obtain consent, and, most controversially, give EU residents a “right to be forgotten, and to erasure,” meaning the companies will have to somehow eliminate information that data subjects decide to take out of circulation.

The original predictions were that the proposed regulation would take two years or more to get through the European Parliament. Then, at the end of 2013, the EU Commission (the EU’s executive branch) announced a push to get the legislation through in early 2014. The latest news, however, coming out of a recent EU summit, is that the approval process will likely drag on into 2015. Businesses continue to lobby against the most onerous provisions, so 2013 ended with both the timing and the ultimate form of the law still up in the air. We continue to advise U.S. companies that do business in the EU that something essentially resembling the current draft is likely to be finalized in the next two years, and to start to prepare for that eventuality.

And in related EU news, the Safe Harbor appears to be in trouble. This provision, administered by the U.S. Department of Commerce, allows U.S. companies to receive transfers of personal data relating to EU residents by certifying that they are providing EU-level privacy protection. In the wake of the NSA revelations, a number of EU officials have suggested that the program has no teeth, or is merely a loophole that allows U.S. companies to evade scrutiny simply by saying that they are in compliance. A report from the EU Commission is expected soon, and many observers expect the EU to repudiate the Safe Harbor. Few American companies rely on it, but those that do should start planning for an alternative—such as the EU’s approved contractual protections—or risk losing the right to transfer data.

Meanwhile, California continues to be the leader in enacting privacy laws in this country. Several of the laws enacted in 2013 may affect businesses doing online business with California residents, including these:

• Data Breach Notification (Senate Bill 46, effective January 1, 2014): Expands the definition of “personal information,” the disclosure of which will trigger the duty to notify affected persons. The expanded definition now covers items that facilitate access to online accounts, such as user names, passwords, and security questions and answers. The Privacy Office of the California Attorney General has promised amended best practices guidelines in the near future.
• Online Tracking Transparency Act (Assembly Bill 370, effective January 1, 2014): Adds two new online tracking disclosure requirements for operators of websites, online services, and mobile apps that collect personally identifiable information from “consumers residing in California.” They must now disclose in their privacy policies (1) how they respond to Do Not Track signals and (2) whether third parties collect personally identifiable information on their sites and apps.
• Privacy And Advertising to Minors on the Internet (S.B. 568, effective January 1, 2015): Provides minors with an EU-style “right to be forgotten”—minors who are registered users of a website or app have the right to remove content that they posted to that service. The law also prohibits website and mobile app operators from using, disclosing, or compiling personal information on minors (or allowing a third party to do) in order to market products that minors cannot purchase, such as alcohol, tobacco, or firearms.

Other, more sector-specific new laws strengthen protections for health care records and prohibit the sale of utility (water, power, etc.) usage data. A variety of privacy bills are still pending. The most significant of these would give consumers a right to receive a copy of any personal information that a business has retained within 30 days of requesting it.