Europe’s new data protection laws will cause conflict with the US, warn legal experts

The EU's proposed changes to its privacy regulations will cause fresh clashes between European data protection authorities and US law enforcement agencies, warn legal experts.

"The General Data Protection Regulation raises the stakes in the ongoing privacy-versus-security debate between the EU and the US," said Lukas Feiler, associate at Vienna-based law firm Wolf Theiss and a fellow at Stanford University/University of Vienna Transatlantic Technology Law Forum (TTLF).

US companies would face hefty fines if they are ordered by US agencies to reveal the personal data of EU citizens and don't also obey the new EU regulations proposed earlier this year.

One area where the EU's new regulations would conflict with US requirements is in US law enforcement agencies' use of controversial National Security Letters (NSLs), which the EU would no longer recognise, said Feiler.

"The EU's draft proposal of a General Data Protection Regulation would make clear that [NSLs] issued by the FBI pursuant to the Patriot Act, section 505, are not to be recognised in the EU," he said.

NSLs are used mainly by the FBI to obtain customer and transaction records from the likes of ISPs, phone companies and banks to assist in the investigation of terrorism, fraud and organised crime.

NSLs are limited to "non-content information", such as transactional records, phone numbers dialled or email addresses mailed to and received from, not the text of emails or a recording of a voice conversation.

Unlike a search warrant, the NSLs do not require the prior permission of a judge and can be used when "analysing" terrorism, not just when investigating a specific crime.

NSLs also carry an integral gagging order that prevents the company on which they are served from telling their customer that their personal data has been disclosed.

"For any US company to disclose personal data of EU residents pursuant to an NSL, an approval by the Data Protection Authority of an EU member state would have to be obtained first," said Feiler.

"Companies that fail to do so would be subject to fines of up to two per cent of their annual worldwide turnover."

NSLs predate the Patriot Act and were previously limited to the FBI. But subsection 358(g) of the Patriot Act extended their use to any government agency investigating or analysing international terrorism, according to Charles Doyle, senior specialist in American public law at the Congressional Research Service.

"Policy makers on the two sides of the Atlantic address privacy issues very differently," Feiler told Computing.

"The US is continuing its path of sector-specific self-regulation that has produced questionable results in the past and fundamentally differs from the approach in the EU."