European Union vs. United States: approaches to cybersecurity

By Stuart A. Panensky on November 6, 2014

USA_EU-flagThe thing about electronic data is that it is not subject to traditional geographical boundaries. Policyholders must navigate a patch work of regulations that often significantly differ from jurisdiction to jurisdiction.

Two of the largest producers of consumer data are the United States and the European Union. Both government entities wish to secure the sensitive data of their citizens, but they differ greatly on the policy approach to protect that data.

In 2012, Europe significantly revised data guidelines that were originally promulgated in 1995 via the EU Data Protection Directive. The US traditionally never passed general federal data protection laws. However, various administrative agencies have taken the lead on data protection including Health and Human Services Office of Civil Rights, the Security Exchange Commission and the Federal Trade Commission.

The EU Data Protection Directive has seven guiding principles:

  1. Notice: subjects whose data is being collected should be given notice of such collection;
  2. Purpose: data collected should be used only for stated purpose(s) and for no other purposes;
  3. Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s);
  4. Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss;
  5. Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data;
  6. Access: subjects should granted access to their personal data and allowed to correct any inaccuracies;
  7. Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.

To contrast, while the EU Data Directive has seven guiding principles, the FTC, for example, has issued three recommendations:

  1. Privacy by Design – companies should include reasonable security for data, limit the collection and retention of data and use reasonable procedures to promote data accuracy.
  2. Simplified Choice for Businesses and Consumers – companies should give consumers the option to decide what information is shared and with whom it is shared.  This should include a do not track mechanism.
  3. Greater Transparency – companies should disclose details about their collection and use of the data and allow consumers to access the data collected about them.

The three FTC recommendations include many of the seven principles of the EU Data Directive. Typically, the United States policy relies heavily on the private sector to voluntarily set up various data safety protocols reasoning that it is in policyholders’ own self-interest to do so.

The EU takes a more government-centric approach to data security. The 2012 revisions to the EU Data Directive seek to create a national data protection authority in each EU nation. The 2012 revisions want to strengthen the power of the national data protection authority to better enforce the EU data rules. The 2012 revisions propose penalties for breaches of up to 1 million Euros or up to two-percent of the global annual turnover of the offending company.

As data breaches continue to increase in frequency, US regulators and policy makers are under pressure to establish a more stringent enforcement system closer to the system in place in the EU.

Additionally, the EU continues to object to US companies who do business in the EU that fail to uphold the EU data protection requirements.  Under the EU Data Directive, the data of its citizens is not to leave the EU. However, US companies have been permitted to store data of EU citizens on US servers so long as those companies follow EU data protection laws.

In fact, on August 14, 2014, the Center for Digital Democracy filed a complaint with FTC alleging that 30 US companies are in violation of the Safe-Harbor agreement and not complying with EU data protection laws.

Notably, EU officials have made 13 recommendations to the US in order to ensure it will continue to permit EU data to be stored in the US. Primary recommendations include: requiring greater transparency regarding a company’s privacy policy; an easily accessible database showing which companies meet the Safe Harbor requirements; a method of redress in US courts for European citizens who have their data privacy violated; and regular audits of companies’ data protection protocols.

As suggested above, the US may already be moving toward a more European model.  The EU reports that it has reached a provisional agreement with U.S. regulators on certain principles including that data should not be retained longer than is necessary and appropriate; citizens should be allowed to access their data subject to certain conditions and request corrections if the data is inaccurate; more effective oversight, including more authority for the FTC and other enforcement agencies to investigate complaints from consumers or citizens.

Finally, the Personal Data Protection and Breach Accountability Act of 2014 has been introduced in the Senate and it seeks to implement FTC recommendations by statute. The bill was introduced to the Senate on February 4, 2014; however, it remains in committee.

Stuart A. Panensky

Stuart A. Panensky practices in Traub Lieberman Straus & Strewsberry’s Construction Defect, Professional Liability, Environmental, and Technology practice groups. He primarily defends architects and engineers from third party claims of professional negligence. Stu also represents contractors, subcontractors as well as owners/developers in all aspects of construction litigation. He also handles environmental litigation including CERCLA and Spill Act claims, cyber claims (including coverage issues), as well as complex litigation management and insurance coverage litigation. He also lectures on technology and the law, cyber claims and co-authored a chapter in Data Security and Privacy Law – Combating Cyberthreats.