European Data Access Proposals Threaten U.S. Providers

On April 19 the European Commission published two legislative proposals that compel tech companies and service providers to ignore privacy obligations when facing data requests from foreign governments. If enacted, they could compel U.S. – based providers to violate the Stored Communications Act, which prevents the disclosure of stored communications content in the absence of a court order. The proposals (a Regulation and a Directive) apply to a broad range of companies that offer services in the EU, and that have a “substantial connection” to one or more Member States. The proposals would compel affected companies, which range from small ISPs and startups to multinational corporations  including Facebook, Twitter, and Google, to develop resources and expertise in many EU data access regimes. They would immunize businesses from liability in situations where good faith compliance with a data request might conflict with EU data protection laws, which creates an incentive to err on the side of compliance with a data demand no matter the cost to privacy. There is no comparable immunity from the fines that could be levied for ignoring a data access request on the basis of good-faith compliance with EU data protection rules.