EU privacy rules may hit Internet giants hard

Google, Facebook and other U.S. Internet giants could face huge fines without a new agreement on how they handle the personal information of their European customers.

Negotiators from the United States and Europe will meet Tuesday to discuss a new set of rules to protect the personal data of Europeans. Failure to reach a "safe harbor" agreement could force American Internet goliaths like Amazon, Facebook and Google to change the way they manage customer information or face the risk of tens of millions of dollars in fines for violating the European Union's increasingly tough privacy regulations.

U.S. Secretary of Commerce Penny Pritzker assured attendees at the World Economic Forum in Davos, Switzerland, last week that the two sides were working hard on a comprehensive agreement, but she conceded that stumbling blocks remained over mass surveillance by U.S. security agencies and the right of European citizens to review their personal information.

Without a new deal, U.S. Internet companies could be forced to keep European customer data separate, adding complexity to their already far-flung operations and raising their costs. This week Facebook announced it was setting up its second data center in Europe, possibly positioning itself in case it needed to segregate European customer data. In addition, the French newspaper Le Monde reported Thursday that Google was also taking steps to allow European citizens to delete their information, meeting an EU demand that consumers be given a right to be "forgotten."

Talks have been under way for two years to revise the 15-year-old Safe Harbor Agreement, which gave U.S. companies blanket legal protection to transfer European customer information across the Atlantic. However, negotiations became more urgent last October when the European Court of Justice unexpectedly ruled that Irish authorities (where Facebook and other U.S. tech companies have European headquarters) had failed to adequately protect the privacy of European citizens.

In December, the EU issued new directives backed by stiff fines that have left American Internet giants, like Google, Facebook and Amazon — and thousands of other companies — in limbo about how they collect, store and use European customer data. The maximum fine could be 4 percent of a company's global revenues.

For Facebook, with 2016 revenues projected at $24 billion by Bank of America analysts, an extreme penalty could mean a bite of nearly $100 million. [Because of the delicate nature of negotiations, regulators in the U.S. and Europe declined interview requests from CNBC.com. Facebook and Google did not respond to inquiries.]

Blame the new turmoil on two individuals: Edward Snowden and Max Schrems. Snowden is the well-known NSA whistleblower who exposed the massive U.S. government surveillance of private citizens via the Prism program. Schrems is a lot less famous, but the 28-year-old Austrian Ph.D. candidate in law has single-handedly challenged the way big tech companies handle personal data.

Inspired by Snowden's revelations, Schrems filed a lawsuit in 2013 charging that his Facebook data was not adequately protected from U.S. surveillance. He won the surprising judgment last October when the European Court of Justice knocked down the 15-year-old Safe Harbor agreement governing data transfers between the European Union and the United States.

The second blow was a tough new data-protection directive from the European Union in December that included the new maximum fine of 4 percent. Among its provisions: mandatory disclosure of data breaches, parental permission for children under 16 to join social networks, the right of European citizens to be completely "forgotten" by data collectors and a requirement that large companies name a data-protection officer.

"The regulation returns control over citizens' personal data to citizens," Jan Philipp Albrecht, the EC's lead legislator on the directives, said of the new rules. "Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data."

On Thursday, the U.S.Senate Judiciary Committee approved on a bipartisan vote the Judicial Redress Act, clearing the way for Europeans to have the right to review and correct inaccurate information about them — one of the major issues in negotiations.

U.S. companies are not celebrating. They see the rules as a potentially costly complication and even a trade barrier to doing business in Europe. The U.S Chamber of Commerce, which lobbied heavily in Brussels during the rule-making process, warned that the new directive "has significant implications for Europe's economy and social welfare, as it affects the business community from the United States, Europe and globally."

The divergent approaches to privacy on opposite sides of the Atlantic are rooted in culture and history, said Miriam Wugmeister, a privacy and data security expert at law firm Morrison & Foerster. "You had real misuses of personal information to achieve totalitarian and fascistic goals [during World War II]," said Wugmeister. "To Europeans, the mere collection of personal information is a bad thing and you should only be able to do it when you have a really good reason" By contrast, she argues, Americans are much more casual about their privacy. "In the U.S., if you want to collect personal information and put it all in a phone book and sell it, that's fine as long as you don't misuse it."

The European sensitivity about privacy was reflected in comments by Isabelle Falque-Pierrotin, the top French privacy regulator. "American companies do not have an immediate right to collect data on our citizens," she told The New York Times. "If they are on our soil, then they need to live with the consequences."

Max Schrems, whose lawsuit aggravated the privacy turmoil, told CNBC.com that he was not trying to destroy the industry. "I was trying to improve the system." He blamed European officials for failing to enforce their own laws and allowing violations under cover of the old Safe Harbor agreement. In addition, he said, U.S. tech companies were often dismissive of European law. "You had this approach in Silicon Valley: 'We're going to make the rules, and we don't give a damn about your laws.'"

Microsoft president and chief legal counsel Brad Smith conceded U.S. companies need to be as transparent as possible. "Who owns your data? You own your data." he told the Davos panel. "If people in Europe are going to trust American companies, we need to be accountable."

The ignorance of — or deliberate disregard for — stricter European privacy regimes has come back to bite the Internet giants, who depend on vast amounts of personal data to determine what and how they sell to customers. But companies often find themselves trying to negotiate the difference between two sets of rules while managing intelligence agency demands. Even internal data could be imperiled. Can the European subsidiary of an American company transmit personnel data to its U.S. headquarters?

"It leaves companies holding the bag," said Wugmeister.

With growing concern in Europe over terrorism, U.S. intelligence agencies are not the only ones complicating a deal on privacy. "Data protection is regulated at the European Commission level, but security is regulated at the member state level," said Wugmeister. "We have a 100 percent disconnect."

Added Danny O'Brien, international director of the Electronic Freedom Foundation: "The problem right now, these companies cannot comply with the ECJ ruling, because they don't control U.S. security law."

The biggest and most successful cloud services companies are American, argued Wugmeister. Large providers will adjust to the rules, and big companies will access U.S. services that are cheap and cutting-edge. She thinks medium-sized companies will be hurt most by the new privacy regulations. "The smaller companies will not have bargaining power," she said. "They will not be able to change their infrastructure to make it work, and they're not going to get competitive pricing."

But the creativity of Europeans to exploit the differences between Americans and Europeans on privacy shouldn't be underestimated. At last year's White Bull technology conference in Barcelona, a new cloud start-up touted its most significant credential: Its servers weren't based in the U.S. The company's name also made its pitch quite clear: Safe Swiss Cloud.

But even if the negotiators miss the Feb. 1 deadline, they expect to eventually reach an agreement. As Microsoft's Smith put it at Davos: "This is too important to fail."

— By Joel Dreyfuss, special to CNBC.com