It is clear that technology moves quite faster than legislation.
American and European officials failed on Sunday to reach an agreement over how digital data — including financial information and social media posts — could be transferred between the two regions.
Despite last-minute talks, the two sides remained far apart on specific details required to approve a comprehensive deal. Without an agreement, companies that regularly move data, including tech giants like Google and nontech companies like General Electric, could find themselves in murky legal waters.
European and American officials had until Sunday evening to meet a deadline set by Europe’s national privacy agencies, some of which have promised aggressive legal action if the current negotiations founder. Those agencies will publish their own judgment on how data can be moved safely between the two regions on Wednesday.
With time ticking down, the two sides are now hoping to agree to a broad deal before European national regulators act on Wednesday, according to several officials with direct knowledge of the talks, who spoke on the condition of anonymity because they were not authorized to speak publicly.
Still, negotiators said sticking points remained — including over how Europeans’ data would be protected from surveillance by the American government and how Europeans could seek legal remedies in American courts — and neither side could guarantee the final outcome.
The rules governing the transfer of online data have become a vital issue for many businesses. Facebook and Google, for example, use the information to help tailor the advertisements that are central to their businesses. Many nontech companies, like G.E., move data related to their customers and employees, as well as on how their products are used.
No big American company is expected to change how it does business immediately. But many have gathered teams of lawyers to protect themselves in case no deal emerges.
“There’s a lot of uncertainty,” said Tanguy Van Overstraeten, global head of privacy and data protection at the Brussels office of the Linklaters law firm, who represents companies that may become tangled up in the standoff. “We need a solution. Global business relies on transferring data. You cannot stop that.”
The most recent talks have been taking place in Brussels. Senior officials from the Commerce Department, the Federal Trade Commission and other American agencies traveled there last week. They have been meeting with the European Commission, the executive arm of the European Union that is in charge of the negotiations, along with senior national politicians from across Europe.
With the talks increasingly stalled, Penny Pritzker, the United States commerce secretary, was expected to call Vera Jourova, the European commissioner of justice, on Sunday in the hopes of brokering a deal.
The negotiations began three months ago after Europe’s highest court invalidated a 15-year-old data-transfer pact, a so-called safe harbor agreement. The judges ruled that Europeans’ data was not sufficiently protected when being transferred to the United States.
European and American negotiators had been talking for years about a new deal, but the court’s decision — which went into effect immediately — made action increasingly urgent.
In recent weeks, American officials have offered a number of concessions to their European counterparts. They include increased oversight over American intelligence agencies’ access to European data, according to several officials involved in the discussions, who spoke on the condition of anonymity.
American officials have also proposed the creation of a so-called data ombudsman within the State Department. That office, according to officials, would give Europeans a direct point of contact in the United States if they believed government agencies had misused their data. Europeans also may seek arbitration directly with American companies that they accuse of unlawfully using their digital information.
European officials, though, have expressed doubts that those moves would hold up if challenged in European courts. They have asked the Americans to provide specific details about how the current proposals would work in practice, according to two officials. In particular, Europeans want more information on the limits to American intelligence agencies’ access to European data, and on how Europeans can file legal claims in the United States.
American officials have argued that their proposals will stand up to European legal challenges. They also believe the United States has levels of data protection comparable to those in the European Union, where privacy is valued as highly as freedom of expression.
“We’ve agreed to make major changes,” Bruce H. Andrews, the deputy secretary of the Commerce Department, said on Jan. 15. “The U.S. takes individuals’ privacy very seriously.”
Any company — large or small — that transfers information between the two regions may face legal challenges. But the most likely targets for litigation, privacy advocates say, are large American tech giants like Google and Facebook that rely so heavily on people’s data.
Several of Europe’s national data regulators, including Isabelle Falque-Pierrotin, the French privacy chief who is chairwoman of a Pan-European data protection group, have said they will back a new data-transfer agreement if all of Europe’s privacy rights are upheld in the United States.
But if a new pact is not approved — or does not meet national regulators’ standards — some European privacy watchdogs may demand new limits on the movement of data.
Several consumer groups plan to file complaints about how companies transfer data as soon as Monday, arguing that people’s rights are not upheld when information is moved to the United States.
“These issues are going to end up back in court,” said Peter Swire, a law professor at the Georgia Institute of Technology, who helped negotiate the original safe harbor agreement while working for the Clinton administration.
The importance of the deal to the companies and privacy groups has crystallized in recent weeks, as American executives and government officials made it a top priority.
At the recent World Economic Forum in Davos, Switzerland, for instance, Sheryl Sandberg, chief operating officer of the social network Facebook, held high-level discussions with a number of European and American politicians to voice the company’s concerns about the pending deadline, according to several people with knowledge of the matter.
Secretary Pritzker also met with Andrus Ansip, the European official in charge of the region’s digital agenda, among other local policy makers, at Davos to discuss the new pact.
On their way to negotiations in Brussels, a delegation of American officials made a stop in Paris last week, sitting down with a group of European national regulators to address concerns over how their citizens’ data was used in the United States.
In Brussels, several trade groups regularly shuttled between meetings with senior European officials last week. The groups representing the tech industry came armed with a series of legal opinions from leading data protection experts that played down the differences in the way privacy was handled in the two regions.
The legal arguments included details about why current United States rules were on par with those of Europe — a view that critics of America’s position jumped on almost immediately.
“That assessment just isn’t true,” said Jan Philipp Albrecht, a German politician who has called for stronger data protection rules. “There’s a massive difference over how this issue is treated in Europe compared to the U.S.”
How Europe protects your online data differently than the United States
Your digital footprint can quickly extend far and wide and be used in multiple ways. Your interactions on Facebook shape the ads you see there. The kinds of films and music you stream may allow online companies to make inferences about your political leanings or religious beliefs. And your health insurer may analyze details about your online shopping habits.
How much control do you have over how companies collect and use your information? And what mechanisms are in place to protect your data against misuse?
If you are in the United States or Europe, the answers vary, which has led to tensions between officials and disputes with companies. In the United States, a variety of laws apply to specific sectors, like health and credit. In the European Union, data protection is considered a fundamental right, which can have far-reaching consequences in all 28 member states.
All the talk about data privacy can get caught up in political wrangling. But the different approaches have practical consequences for people, too.
That One Bad Night
You made a stupid mistake 10 years ago, pulling a harmless prank while at college that led to your arrest and to misdemeanor charges that were eventually dropped. Your record was spotless before and has been since. But that mistake follows you online, since a local newspaper wrote about the arrest and the article shows up when anyone searches for your name online. What’s your recourse?
In the U.S.
The First Amendment of the Constitution protects freedom of expression, including the right of an individual to speak freely. There is no blanket ruling that allows people to delete or remove negative information about themselves online. |
In Europe
The so-called right to be forgotten legal decision allows you to ask search engines like Google and Microsoft’s Bing to remove links to the news article on European versions of those sites. (The news article remains available on the newspaper’s website.) |
Surprise! Your Bank Has Been Hacked
You have just received your monthly credit card bill after the holiday season. There are many luxury purchases you don’t recognize. Your card details — and those of thousands of other customers — have been stolen by hackers.
In the U.S.
Notification requirements vary by industry under federal law. Financial institutions, for example, are required to tell customers as soon as possible if a data breach could lead to misuse of personal information. However, companies may delay these disclosures if law enforcement officials determine that notifying customers could interfere with a criminal investigation. |
In Europe
Under new rules that will come into force over the next two years, any company must notify national regulators within three days of discovering a breach or face fines for not sufficiently protecting your data. |
All Those Clicks Add Up
You do thousands of searches on Google each year. You have hundreds of Twitter followers. And you have become addicted to the shopping and video services available through Amazon Prime. What information do these companies have on you?
In the U.S.
There is no single federal law or standard people can rely on to obtain copies of their records. But there are industry-specific rules. Patients, for instance, may request copies of their medical records from health-care providers. Some companies, like Twitter, also allow customers to download their own archives. |
In Europe
You can ask any company — for a modest administration fee — to send you details about what data it holds on you and what that information is used for. In most cases, companies must hand over the files within a month. In practice, the process is not always so smooth; some companies have declined to provide people with the data they had requested. |
My Child Has Fallen for Video Games
Your 10-year-old wants to set up a player profile on an online video game that collects personal information including children’s real names, locations, photos and email addresses.
In the U.S.
A federal law called the Children’s Online Privacy Protection Act requires children’s sites and apps to obtain parental permission before collecting personal details – like names and email addresses – from children under 13. The Federal Trade Commission enforces these protections. |
In Europe
Currently, there are no European-wide laws that apply specifically to how children’s data can be collected and used. Under new rules to come into force over the next two years, digital services like Facebook, Snapchat and Instagram must obtain parental consent before collecting data on anyone under 16 (and national governments can lower that age limit to 13). |