Technology companies are getting crunched between clashing U.S. and European Union privacy laws. A Belgian court on Monday dinged Facebook for secretly tracking visitors, while search website Spokeo will probably get away with similarly nosy conduct in America. Yet in neither case could victims prove they were hurt. The disparate outcomes highlight the risks of operating globally.
Privacy means something quite different on either side of the Atlantic. The ability to, say, control personal information or be left alone is a basic human right in the EU. In the United States, privacy is generally defined by courts and statutes. And unlike Europeans, Americans can’t sue successfully for violations without showing harm.
It’s no surprise, then, that a Brussels court ordered Facebook to stop installing tracking files, called cookies, on computers of casual visitors to the site. A U.S judge, by contrast, dismissed a similar lawsuit last month, because the complaint didn’t describe any loss from Facebook’s conduct.
Things get tricky when both jurisdictions’ laws are involved. A Facebook user recently sued the company for violating his privacy by transferring personal information from its Irish processing center to U.S. servers, where data protections were weaker. Earlier this year, the EU Court of Justice ruled in the user’s favor and struck down the European-American arrangement allowing such transfers.
The Spokeo case offers the U.S. Supreme Court a chance to move American law closer to European rules. The Fair Credit and Reporting Act allows consumers to sue companies like Spokeo that release inaccurate information. The question is whether suits involving only speculative damages qualify. That would fly in the face of the no harm, no foul principle. Judging from recent oral arguments, the justices seem to agree.
Conflicting privacy rules make global operations difficult for the likes of Facebook and Google – now called Alphabet – whose businesses rely on mining information. The EU Court of Justice hinted at a solution in the case involving Europeans’ right to be “forgotten,” ruling it was Google’s responsibility to determine which links to erase.
Assuming the company would want to preserve customer goodwill is an appealing enforcement mechanism. Whether it would work in protecting privacy broadly is open to question. In any event, more uniform data-gathering rules would benefit tech firms and consumers alike.