Corporate TIPS Blog: GDPR Enforcement Update: Can European Union Authorities Enforce Their Laws On U.S.-Based Companies?
By Craig S. Horbus & Nicole M. Thorn on November 13, 2019
GDPR compliance is a top cybersecurity and technology issue for companies that we have outlined in previous blog posts. In these last few weeks, there have been cases of inconsistent applications of the European Union (EU) law by European Courts against U.S.-based companies. One such law implicated the portion of General Data Protection Regulation law (GDPR), known as the “right to be forgotten.” The other law involved was the EU’s e-commerce directive. Being EU-based laws, however, questions remain as to the jurisdiction of the EU’s privacy enforcement authorities on U.S.-based companies.
To recap, the right to be forgotten is part of the larger scale of rights for EU citizens under GDPR to control who has their personally identifiable information (PII). Under this law, an EU citizen has the right to demand their information be stricken from an entity’s records. But this law conflicts with the U.S. fundamental right to freedom of information of internet users. In a recent case under the notion that once this information is made public in such places as Google, those privacy rights cannot prevail over another’s right to freedom of information.
On September 24, 2019, the European Court of Justice narrowly interpreted its enforcement against Google holding that this right to be forgotten was only applicable in the EU and not globally. This ruling stems from a case in which France’s data protection authority ordered Google to delist certain third-party links in search results from all of its domains under the protection of this law. The European Court's finding that this delisting was only valid as to EU users’ indices was a welcome result for non-EU companies. Google ultimately saw this as a win since the application of the law was only impactful in a limited scenario.
On the other hand, however, just nine days later, Facebook received an opposing and unfavorable view by the same court. Citing the EU’s e-commerce directive, Europe’s highest court held that, “EU law does not preclude such an injunction from producing effects worldwide”1 after an Austrian court ordered Facebook to remove (from all users’ view) defamatory remarks by one Facebook user against an Austrian politician, Eva Glawischnig-Piescek. Although the EU Court did find that such an injunction must operate within the confines of other applicable international law. In this case, the EU Court deemed these remarks “illegal” because they were “identical to defamatory comments,” which are illegal. The takedown order ultimately affected all users, not just those residing in the EU. Citing the overreach of one country’s law over another’s, Facebook emphasized the need for clarity in terms of what constitutes “illegal” because this term may be defined differently under another country’s laws.
International privacy laws and the EU’s authority over U.S.-based companies are still murky at best. Add in domestic laws regarding similar privacy concerns to this layer of conflicting international law, and it’s easy to understand why companies feel caught in the quagmire of compliance. Stay tuned as we watch the test of privacy rights continue to play out.
Brouse McDowell’s Corporate Practice Group has extensive experience handling cybersecurity and privacy issues for all types of businesses. We are available to help you with both simple and complex issues as well as proactive compliance in the current conflicting regulatory environment. Please contact us to discuss your legal needs.