The European Union respects data privacy; the United States does not.
The Wall Street Journal’s report that E.U. regulators fined Meta, Facebook’s parent, $1.3 billion for privacy violations struck a raw nerve. The United States has no laws to protect the privacy of consumer data, and Meta was fined because it transferred data collected from its European users for storage in the United States.
E.U. regulators expressed concern that this U.S.-stored data would be purloined by American spy agencies without knowledge or legal recourse of the people from whom it was collected purloined.
Instead of stealing consumer data, U.S. spy agencies are now buying, and sharing, vast quantities of personal data, replacing the intrusive surveillance that spy and law enforcement agencies, domestic and foreign, once used. This is the conclusion of a report commissioned by the Director of National Intelligence. The purchase of data is not subject to Fourth Amendment restraints.
The E.U.’s move to enforce privacy policies must displease American companies who gather and use data in Europe, and it’s not the first time an American company was smacked big. In 2021, Amazon was fined $806 million for data privacy infractions.
The stated goal of the E.U. General Data Protection Regulation is privacy protection; it governs how E.U. residents’ personal data can be processed and transferred. Personal data is broadly defined as any information that relates to an identified living, natural person, including name, email address, I.D. numbers, and the like. Processing means actions taken, such as collecting, recording, storing, and transferring data.
Unlike the E.U., the collection and processing of the personal data of Americans is without restriction or regulation.
GDPR applies to companies offering goods or services to E.U. residents, or monitoring a person’s behavior inside the E.U. Access inside the E.U. to a passive website won’t subject a company to GDPR, but the sale of goods and services through a website will.
As Meta and Amazon learned, GDPR has very sharp teeth, and it authorizes fines as high as 4 percent of annual, worldwide revenues. This makes sense because the law is aimed at protecting what it calls the fundamental rights and freedoms of E.U. residents, and in particular, their right to protect personal data.
GDPR imposes many obligations on a collector of data in order to protect fundamental privacy rights. In addition to notification that data is being collected, the collector, called the controller, must inform of its identity and how to contact it; the details of its data protection officer; the purpose; where processing will occur; who will receive the data; whether the collector will transfer the data; how long the data will be stored; the right to correct or erase data and whether AI will be employed in the use of the data and the logic that will be employed to process the data.
Collecting and processing an E.U. resident’s data must occur with the consent of that person, and consent must be given for one or more specific purposes unless collection and processing is necessary to perform a contract or to comply with a legal obligation. Rules that mandate that data be processed lawfully, fairly, and in a transparent manner, recognize fundamental rights and freedoms of E.U. residents and their right to the protection of personal data.
GDPR provides for the right to sue in the E.U. country where the collector, or the processor of data if different, has an establishment. This is an important remedy, missing from U.S. laws, and the transfer and processing of data collected in the E.U. to the U.S. would make judicial proceedings substantially more difficult, if not impossible.
American companies spend heavily to lobby against laws like GDPR. They want to enjoy unfettered availability and use of this data fuel, one purpose of which is to drive AI engines for marketing purposes.
While few states may join California in creating data protection laws, Congress likely will not act. And open is the question whether the U.S. and the E.U. will enter into a new data agreement that will water down the E.U. protection.
The last data-sharing agreement was tossed out by the E.U.’s Court of Justice in 2020 on account of invasive U.S. intelligence programs that would gather personal data. In essence, that court required data transferred to the U.S. under the auspices of the E.U.’s agreement with the U.S., be subject to the same protection as data residing in the E.U.
James B. Astrachan is a partner at Goodell, DeVries, Leech & Dann, LLP and teaches trademark and unfair competition law at the University of Baltimore School of Law.
If you have questions about artificial intelligence and its implications for intellectual property, contact Jim at firstname.lastname@example.org.
This article was originally published in The Daily Record.