Privacy Issues for U.S. Companies Expanding to Europe

The European Data Protection Directive (Directive) prohibits transfers of personal data to non-European Union (EU) nations. While the EU and the United States share the same goal of enhancing privacy protection for their citizens, the EU and the United States take different approaches to achieving this goal. The EU relies on comprehensive legislation, while the United States takes a market centric approach relying mostly on self-regulation. However, as U.S. multinational companies expand to Europe, the European subsidiaries are subject to EU data protection laws. Fortunately, thanks to a EU-U.S. treaty, U.S. companies can self-certify that they conform to EU data protection principles, and therefore be deemed a “Safe Harbor” for receipt of personal data from any EU company. 

“Safe Harbor” Agreement

In order to bridge EU-U.S. differences, the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” framework. The Safe Harbor framework provides a number of benefits for U.S. firms, including: all 27 EU member states will be bound by the finding of adequacy of U.S. organizations participating in the Safe Harbor program; data flows from EU member states to U.S. Harborees will be deemed adequate; and claims brought by EU citizens against U.S. organizations will be heard in the United States. For EU organizations, the Safe Harbor framework offers a simpler and cheaper means of complying with EU law when dealing with U.S. companies. 

How to Comply

In order to self-certify compliance with the EU-U.S. Safe Harbor agreement, U.S. companies must incorporate seven principles into their privacy policies and file a certification form with the U.S. Commerce Department. U.S. companies that have been accepted into the program are then listed on the department website. The seven Safe Harbor principles are as follows:

1. Notice – Company must inform individuals about the purpose for collecting their personal data.

2. Choice – Company must allow individuals the opportunity to opt-out of collection of their personal data.

3. Onward Transfer – Company may disclose personal data only to third parties that adhere to the seven principles.

4. Security – Company must provide reasonable protections against potential loss and unauthorized access to the information.

5. Data Integrity – Company must process personal data only in a manner that is consistent with the purpose for which the data was collected.

6. Access – Individuals must have access to their personal data and be able to amend or correct it.

7. Enforcement – Company must establish independent recourse mechanisms for dealing with non-compliance.

Helpful Hints on Self-Certifying

Before applying for Safe Harbor compliance with the Commerce Department, a U.S. company must first take a series of steps: (1) make sure that the company is subject to the jurisdiction of the U.S. Federal Trade Commission; (2) develop a Safe Harbor policy statement that complies with the seven Safe Harbor principles; (3) draft a privacy policy that makes specific references to Safe Harbor compliance; (4) make sure that the privacy policy is available publicly; (5) establish an independent recourse mechanism to investigate unresolved complains; and (6) designate an internal contact regarding Safe Harbor. 

Conclusion

With the advent of the Internet, globalization and cloud computing, trans-border transfer of personal information is now inevitable. EU privacy laws are among the strictest in the world. Transfers of personal data to non-EU countries are generally prohibited, including transfers to the United States. However, given the enormous trade between the EU and the United States, a compromise has been reached through the Safe Harbor treaty. U.S. companies that comply with the Safe Harbor framework and self-certify through the Commerce Department are deemed to have adequate protection for personal data. Hence, they become a safe harbor for EU companies to use without the danger of violating EU law.

Raul Magallanes runs a Houston-based law firm focusing on telecommunications law. He may be reached at +1 (281) 317-1397 or by email at raul@ rmtelecomlaw.com.