FCC Rule Repeal Darkens EU View of U.S. Privacy Commitment

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The repeal of an FCC rule to require internet service providers to get user consent to collect and share personal data weakens European Union trust in the U.S. privacy regime and may undercut a vital EU-U.S. data transfer pact, privacy professionals told Bloomberg BNA.

President Donald Trump signed a congressional resolution April 4 that rescinded a Federal Communications Commission rule requiring ISPs, such as AT&T Inc. and Comcast Corp., to seek subscribers’ permission before using their web-browsing history for marketing and other purposes. The rule was rescinded before it took effect.

The new concerns over the commitment of the U.S. to privacy come during the ramp-up to the first annual review of the EU-U.S. Privacy Shield cross-border data transfer program in September. Anything that might jeopardize the data transfer pact is cause for concern to the thousands of companies that use the program to transfer personal data out of the EU to the U.S. Without the program, it would be far more cumbersome for U.S. companies to carry out such transfers.

The Privacy Shield allows U.S. companies that self-declare their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S. Over 2,000 U.S. companies are certified under the scheme, including Facebook Inc., Alphabet Inc.'s Google and Microsoft Corp. Tens of thousands of EU companies also rely on the program to legally transfer data to certified U.S. companies.

Some EU lawmakers and privacy advocates previously expressed concern about the Trump administration’s commitment to the Privacy Shield and whether there are plans to allow for broader U.S. government surveillance of data. Officials on both sides of the Atlantic have said they understand the economic importance of maintaining the trans-Atlantic flow of data.

EU privacy regulators from the 28 EU countries have been skeptical about the privacy protections that the EU-U.S. Privacy Shield puts in place, particularly as to the potential bulk collection of personal data by the U.S. government. Those concerns were the basis for the invalidation of the predecessor U.S.-EU Safe Harbor agreement data transfer pact by the EU’s top court.

European Data Protection Supervisor Giovanni Buttarelli said at a press briefing at the International Association of Privacy Professionals Global Summit that the repeal of the FCC privacy rules has left him skeptical as to whether the Trump administration is serious about upholding its obligations under the Privacy Shield.

Privacy Trust

The repeal of the FCC rule isn’t a violation of the Privacy Shield agreement, but it provides ammunition for Privacy Shield skeptics who argue that it isn’t up to EU standards, Todd Ruback, chief privacy officer at privacy consulting and software services company Evidon Inc./Ghostery Inc. in New York, told Bloomberg BNA.

The loss of EU trust in U.S. privacy “is an overlooked unintended consequence of rolling back the rules,” Ruback said.

Brian Hengesbaugh, a data protection partner at Baker McKenzie in Chicago, told Bloomberg BNA that the broadband privacy rule repeal shouldn’t have a direct affect on the data transfer program because the “Privacy Shield does not depend on the structure or existence of the FCC rules in any respect.”

However, the EU is “closely monitoring internal U.S. privacy developments, such as those related to the FCC rules, as an indicator to how the new administration will approach data privacy and security issues more generally,” he said.

Gary Southwell, general manager of data security company CSPi Inc., told Bloomberg BNA that the problem for the U.S. is one of perception more than legality. Trump’s March 6 executive order that appeared to remove Privacy Act protections related to the Privacy Shield is another example of the perception problem. Although the order didn’t ultimately present substantive problems, it “created initial confusion in the European Parliament” about the U.S. commitment to privacy, Southwell said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security