| |
| META TOPICPARENT | name="FirstEssay" |
|---|
| | | United States | |
<
< | In the US, the Cambridge Analytica scandal effectuated various changes in the US data privacy law landscapes, including the California Consumer Privacy Act (CCPA), which is currently the most comprehensive data privacy law to be enacted in the US (The Act goes into force on January 1, 2020). Some call this shift in public awareness towards data privacy legislation as the "great privacy awakening" ([http://...][https://d20x8vt12bnfa2.cloudfront.net/2019/2019InternetHealthReport_shortversion.pdf]]). In 2018, the number of Americans who think Tech companies need more regulation and should be made liable for breaches of their user’s data privacy rose to 83 % (from 49 % in 2017), as a recent national representative survey showed ([http://...][(https://www.theguardian.com/technology/2018/apr/20/facebook-tech-companies-us-privacy-poll)]. | >
> | In the US, the Cambridge Analytica scandal effectuated various changes in the US data privacy law landscapes, including the California Consumer Privacy Act (CCPA), which is currently the most comprehensive data privacy law to be enacted in the US (The Act goes into force on January 1, 2020). Some call this shift in public awareness towards data privacy legislation as the "great privacy awakening" (For further information: Internet Health Report 2019, Mozilla). In 2018, the number of Americans who think Tech companies need more regulation and should be made liable for breaches of their user’s data privacy rose to 83 % (from 49 % in 2017), as a recent national representative survey showed (For further information: Americans want tougher rules for big tech amid privacy scandals, The Guardian). | | |
CCPA | |
<
< | It will be interesting to observe the consequences of the CCPA, which was designed to enhance the privacy rights of Californians. Although it is commonly thought of as a similar version of the GDPR, it differentiates itself from its European counterpart in several questions and of course, the Act is not uncontroversial ([[http://...][(https://blog.ericgoldman.org/archives/2018/07/ten-reasons-why-californias-new-data-protection-law-is-unworkable-burdensome-and-possibly-unconstitutional-guest-blog-post.htm)].
With the "Right to Erasure", the CCPA will contain the Californian interpretation of the RTBF and the law grants affected consumers the right to request deletion of their personal information from any company subject to the CCPA. As its European counterpart, the right does not apply unlimited and there are certain limitations (A list of limitations can be found here: (https://www.dataprotectionreport.com/2018/09/ccpa-extends-right-to-deletion-to-california-residents/). Yet, it can be expected that Californian companies will face similar difficulties as GDPR affected companies, in actually complying with such deletion requests of affected consumers / data subjects. This can pose various operational challenges in actually deleting all personal data of a requestor (just think about complex IT architectures with automated back-up hard drives, cloud storages, etc.). | >
> | It will be interesting to observe the consequences of the CCPA, which was designed to enhance the privacy rights of Californians. Although it is commonly thought of as a similar version of the GDPR, it differentiates itself from its European counterpart in several questions and of course, the Act is not uncontroversial (For further information: Technology & Marketing Law Blog, Eric Goldman).
With the "Right to Erasure", the CCPA will contain the Californian interpretation of the RTBF and the law grants affected consumers the right to request deletion of their personal information from any company subject to the CCPA. As its European counterpart, the right does not apply unlimited and there are certain limitations (A list of limitations can be found here: Data Protection Report, Northon Rose Fulbright). Yet, it can be expected that Californian companies will face similar difficulties as GDPR affected companies, in actually complying with such deletion requests of affected consumers / data subjects. This can pose various operational challenges in actually deleting all personal data of a requestor (just think about complex IT architectures with automated back-up hard drives, cloud storages, etc.). | | |
Judicial Application | | | In recent weeks, two noteworthy cases illustrate how the EU is still determining the scope of the RTBF and both cases affect US tech giants. | |
<
< | On September 24, 2019, the ECJ limited the geographical reach of the RTBF. The French privacy regulator fined Google after it rejected a directive to globally remove search results which contain defaming information about a person. The ECJ then held that the internet is a global network without borders, yet numerous third States do not recognize the RTBF and no country should be able to impose rules on citizens of another country. The ECJ concluded that there is no obligation under EU Law for search engines to carry out de-listing requests outside the EU, or as the Court remarkably said: "The right to protection of personal data is not an absolute right" and so the RTBF does not apply outside of the EU (http://curia.europa.eu/juris/document/document.jsf?text=&docid=218105&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1466914). | >
> | On September 24, 2019, the ECJ limited the geographical reach of the RTBF. The French privacy regulator fined Google after it rejected a directive to globally remove search results which contain defaming information about a person. The ECJ then held that the internet is a global network without borders, yet numerous third States do not recognize the RTBF and no country should be able to impose rules on citizens of another country. The ECJ concluded that there is no obligation under EU Law for search engines to carry out de-listing requests outside the EU, or as the Court remarkably said: "The right to protection of personal data is not an absolute right" and so the RTBF does not apply outside of the EU (For further information: Google LLC v Commission nationale de l’informatique et des libertés (CNIL)). | | | Only two weeks later, however, the same Court held on October 3, 2019, that Facebook can be forced to delete content worldwide. This judgement was made after an Austrian politician sued Facebook Ireland Ltd., to remove comments about her, which an Austrian Court determined to be defamatory, on Facebook. The Court held that a EU member state court can order a host provider to remove information which previously was declared to be unlawful worldwide within the framework of the relevant international law. This decision could let objective viewers believe that the EU is nonetheless trying to implement the RTBF as a global regulatory internet standard and it has to be seen, how this decision will heat up the discussion of free speech versus privacy. |
|