Privacy Issues for U.S. Companies Expanding to Europe

The European Data Protection Directive (Directive) prohibits transfers of personal data to non-European Union (EU) nations. While the EU and the United States share the same goal of enhancing privacy protection for their citizens, the EU and the United States take different approaches to achieving this goal. The EU relies on comprehensive legislation, while the United States takes a market centric approach relying mostly on self-regulation. However, as U.S. multinational companies expand to Europe, the European subsidiaries are subject to EU data protection laws. Fortunately, thanks to a EU-U.S. treaty, U.S. companies can self-certify that they conform to EU data protection principles, and therefore be deemed a “Safe Harbor” for receipt of personal data from any EU company. 

“Safe Harbor” Agreement

In order to bridge EU-U.S. differences, the U.S. Department of Commerce, in consultation with the European Commission, developed a “Safe Harbor” framework. The Safe Harbor framework provides a number of benefits for U.S. firms, including: all 27 EU member states will be bound by the finding of adequacy of U.S. organizations participating in the Safe Harbor program; data flows from EU member states to U.S. Harborees will be deemed adequate; and claims brought by EU citizens against U.S. organizations will be heard in the United States. For EU organizations, the Safe Harbor framework offers a simpler and cheaper means of complying with EU law when dealing with U.S. companies. 

How to Comply

In order to self-certify compliance with the EU-U.S. Safe Harbor agreement, U.S. companies must incorporate seven principles into their privacy policies and file a certification form with the U.S. Commerce Department. U.S. companies that have been accepted into the program are then listed on the department website. The seven Safe Harbor principles are as follows:

1. Notice – Company must inform individuals about the purpose for collecting their personal data.

2. Choice – Company must allow individuals the opportunity to opt-out of collection of their personal data.

3. Onward Transfer – Company may disclose personal data only to third parties that adhere to the seven principles.

4. Security – Company must provide reasonable protections against potential loss and unauthorized access to the information.

5. Data Integrity – Company must process personal data only in a manner that is consistent with the purpose for which the data was collected.

6. Access – Individuals must have access to their personal data and be able to amend or correct it.

7. Enforcement – Company must establish independent recourse mechanisms for dealing with non-compliance.

• For Legal Jargon… Click on This Link
• What’s in a Signature?
• U.S. Supreme Court Rules on Warrantless GPS Tracking
• When Industry and Government Don’t Stay in Synch
• Regulatory Uncertainty: A Major Factor in Conflict Areas

• Authorizations to Offer Satellite Services to and from the United States
• Universal Service Fund and its Impact on the Satellite Sector
• C-Band ESV Licenses Clear Way for Entry into Maritime Market
• Regulatory Status of Satellite Service Using Vehicle-Mounted Antennas
• The Case for Earth Station FCC License Modifications