E.U. Privacy Rules Complicate U.S. Compliance Efforts

American companies that do business in the European Union need to be aware of—and comply with—Europe’s strict rules for transferring personal data to the United States.

Under a decade-old “Privacy Directive,” personal data transfers from the E.U. to outside countries must be given “adequate protection.” That includes protecting privacy, as well as other rights considered fundamental in the E.U., such as transparency, fairness and limits on how the data is used.

John Reynolds, a partner with Wiley Rein & Fielding in Washington, says that U.S. companies that need to worry about the E.U. Private Directive fall into two groups.

First is an American company that receives information from a third-party company in the E.U.; the other is a U.S.-based global company that “transfers information or maintains a central database in the United States,” Reynolds explains. “A European employee transferring data to the central server in the U.S. is moving data from the E.U. to the U.S. There’s nothing nefarious about that. But the transfer may involve protected personal data—so the E.U. Privacy Directive must be complied with.”

Braender

Lori Braender, a partner with the law firm Pitney Hardin in Florham Park, N.J., notes that U.S. laws don’t follow the same requirements as the E.U. Privacy Directive. “The concept of protecting employees is at a much more heightened level in the E.U.—there’s much more awareness in the E.U., which has a much different sense of employee protections than in the U.S.,” says Braender, who is the coordinating partner of Pitney Hardin’s office in Belgium.

The restrictions on transferring personal data “mostly deal with obtaining appropriate consent,” she says. “And there are limits on what companies can do with that information.”

Safe Harbor Or Contract

Reynolds

American companies wrestling with E.U. privacy rules have two basic options. One, Reynolds says, is the Safe Harbor provision negotiated between the United States and the E.U.

To sign up for the Safe Harbor, a U.S. company certifies to the U.S. Commerce Department that it complies with the Safe Harbor principles. “The U.S. company can then represent to E.U. companies, including its own subsidiaries in the E.U., that they may freely transfer data covered by the U.S. company’s Safe Harbor declaration,” Reynolds says.

But be warned: not every U.S. company is eligible for Safe Harbor protections. “With a few narrow exceptions,” Reynolds says, only companies within the Section 5 jurisdiction of the Federal Trade Commission qualify.

And not every company eligible for the Safe Harbor has elected to join the arrangement. Indeed, Braender notes that the number of companies that have chosen the Safe Harbor option is “minimal,” because businesses must implement numerous procedures to meet Safe Harbor’s standard of protection.

Companies ineligible for the Safe Harbor, or that choose not to go that route, can negotiate a contract with their E.U. partner companies that will satisfy E.U. data protection authorities, Reynolds notes; Contracts can be ad hoc, or a U.S. company can use model contracts developed by the E.U. The E.U. has published two model contracts that companies can use as templates (see box above, right for sample model contract).

PRIVACY DIRECTIVE

The excerpt below is from Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data:

Chapter II, Section I: Principles

Relating To Data Quality (Article 6)

Member States shall provide that personal data must be:

processed fairly and lawfully;

collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use...

Chapter II, Section II: Criteria For

Making Data Processing Legitimate (Article 7)

Member States shall provide that personal data may be processed only if:

the data subject has unambiguously given his consent; or

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or

processing is necessary for compliance with a legal obligation to which the controller is subject; or

processing is necessary in order to protect the vital interests of the data subject; or

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or

processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1...

Source

Directive 95/46/EC Of The European Parliament And Of The Council Of 24 October 1995

A company “should choose the option best suited to its current and expected future data transfers,” Reynolds says. “In general, however, we have not found the model contracts especially attractive to our [firm’s] multinational clients. ”

Case-By-Case Determination

The consequences for non-compliance with European privacy rules can be severe. Subsidiaries of American companies that violate the Privacy Directive “may be subject to penalties,” Braender says. “And claims can be brought against a U.S. company as well, if it has business interests overseas.”

Reynolds notes that an American company’s inability to comply with the E.U. rules can make it difficult, if not impossible, to obtain certain information.

“If U.S. companies can’t protect the information they receive—if they can’t assure the E.U. company that the data [is] going to be protected – the E.U. company will probably not transfer the data and the U.S. company will not receive information it needs to do its business efficiently.”

If the U.S. company receives the information in violation of the Privacy Directive, and the U.S. company has operations in the E.U., “the E.U. [affiliate] could be subject to substantial harassment by E.U. authorities,” Reynolds says. “Plus, U.S. companies want to do business there—they want to be selling into that market.”

Strategies for addressing E.U. privacy rules evolve on a case-by-case basis, Braender notes. “If you’re talking about a small branch office [in Europe], it’s a lot different than talking about substantial company with a substantial number of employees in the E.U.,” she says. “Whether or not to go through the Safe Harbor process, what’s the need for information—all of that has to be discussed before a company embarks on any [project] where it’s going to be employing E.U. citizens. Measures have to be in place, and they have to be in place before the venture is embarked upon.”

Reynolds agrees. “It depends on the volume and nature of the data transfers one is looking at,” Reynolds says. “We try to sit down with our clients, think through with them what their specific data flows are, what they foresee for the next several years—and then help them design a program that works for them and fully complies with applicable laws and regulations. It might include specific consents for some kinds of data transfers, and joining the Safe Harbor for other kinds of data.”

And compliance with the E.U. Privacy Directive should be seen as part of a larger picture that could include more State-side regulation as well, Reynolds notes.

“A big development on the U.S. side [has been] the fact that a lot more of these cases of lost files and potential identity theft are coming to light,” he says. California, for example, has a law requiring companies to notify customers when their personal data might have been lost or stolen. More such laws are on the way, Reynolds says. “Episodes that might never have become known to the U.S. public are now coming to light and causing consumers to be much more concerned about the loss or compromise of their personal information. Companies are responding to that concern, and it has generated legislative proposals at the federal level.”

The E.U. Directive, sample model contracts, safe harbor information, and related coverage is available from the box above, right.