Internet Privacy – What the U.S. Can Learn from the European Union

With respect to Internet privacy, as a result of recent U.S. government action, Americans now have less protection and are more at risk of government surveillance and potential misuse of their personal information, as compared with citizens of the European Union (EU).

By overturning the FCC’s privacy regulations and stripping the FCC’s authority to implement similar privacy regulations in the future, the U.S. government has created an enormous Internet privacy regulatory void. As a result of such action, there now appear to be no federal regulatory limitations on the types of personal information Internet Service Providers (ISPs) can collect, use and disclose regarding the Internet activities of their subscribers, nor any obligations imposed on ISPs with respect to data retention, data protection or breach notification.

This regulatory void in the U.S. contrasts sharply with EU law, which generally prohibits ISPs from using or disclosing any personal information without the opt-in consent of their subscribers. Under the EU’s new General Data Protection Regulation (GDPR), the consent must be “freely given, specific, informed and unambiguous.” A higher level of consent – “explicit” consent – is required for the processing of “special categories of personal data” that are considered sensitive.

EU law also unequivocally precludes the “general and indiscriminate retention of traffic data and location data.” Recognizing that every phone call, text and Internet connection generates data about the location, time and duration of that communication, the Court of Justice of the European Union (CJEU) in Tele2 recently held that

[this] retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as everyday habits, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and social environments frequented by them. . . . In particular, that data provides the means . . . of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right of privacy, than the actual content of communications. (Emphasis added.)

Significantly, in its judgment the CJEU refers to such communications data as being “sensitive,” suggesting that it takes an expansive view of what constitutes “sensitive,” which goes beyond what is provided in the text of the GDPR.

EU law also creates an exception for the targeted retention of traffic and location data, for the purpose of fighting serious crime, “provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.”

To satisfy these requirements, the CJEU stated that there must be “clear and precise rules governing the scope and application of such a data retention measure and imposing minimum safeguards, so that the persons whose data has been retained have sufficient guarantees of the effective protection of their personal data against the risk of misuse.” To ensure that data retention is limited to what is strictly necessary, the CJEU further held that, with respect to the substantive conditions which must be satisfied to authorize the retention of traffic and location data, “while those conditions may vary according to the nature of the measures taken for the purposes of prevention, investigation, detection and prosecution of serious crime, the retention of data must continue nonetheless to meet objective criteria, that establish a connection between the data to be retained and the objective pursued. In particular, such conditions must be shown to be such as actually to circumscribe, in practice, the extent of that measure and thus, the public affected.”

If federal and state legislators and regulators in the U.S. desire to fill the Internet privacy regulatory void, they might consider looking to the EU and the GDPR for guidance.