For U.S. companies operating in Europe, compliance with European data privacy laws can seem onerous, because EU data privacy laws are much stricter than U.S. laws. The U.S. Department of Commerce and the FTC have the right to sanction companies in the U.S. for violations of EU data privacy laws, whether they occur abroad or in the U.S. If your company may deal with personal data of EU citizens, it is vital for you to understand EU data privacy laws and comply. Otherwise, you can face serious sanctions. A Priori privacy lawyer can help your company understand EU data privacy regulations and devise a compliance program, as well as address any issues that do arise.
Understanding European Data Privacy Laws
The European Union has a single data privacy policy that applies to any company collecting data on citizens in member states. These data privacy laws are based on several fundamental rights, including easy access to data collected by the person information was collected on, a “right to be forgotten” and have your data deleted, protections against hacks and the right to know if your data has been hacked, clear notice and information about data being collected, and easy data portability at the request of citizens.
These rights are codified in two key legal instruments.
- General Data Protection Regulation. This law unifies data collection rules for businesses and clearly states all requirements for data privacy.
- Data Protection Directive. This directive establishes terms under which data can be turned over to authorities, as well as punishments and victims’ rights for data privacy violations.
EU-U.S. Agreements on Commercial Collection of Data on EU Community Members
In order to better establish U.S. corporate compliance with EU data privacy laws, the United States and the EU Commission have established two agreements on commercial collection of data on EU community members. Currently, only the EU-U.S. Privacy Shield remains in effect.
Safe Harbor Framework
For many years, the U.S. Department of Commerce certified compliance with EU data privacy laws under the Safe Harbor framework agreed upon between the United States and the European Union. Surveillance revelations in documents leaked by Edward Snowden, however, led the European Court of Justice to declare Safe Harbor invalid on October 6, 2015. While this framework has been replaced, the principles behind the Safe Harbor framework remain important to understand.
The seven key Safe Harbor principles relate to:
- Notice. All individuals must be properly informed that their data is being collected and how it will be used, as well as a means to contact the organization with any inquiries or complaints related to data collection.
- Choice. There must always be the option to opt out of data collection and transfer of such data to third parties.
- Onward Transfer. Data transfers to third parties is only allowed if the receiving organizations comply with Safe Harbor and follow adequate data protection principles.
- Data Integrity. All data collected must be relevant to and reliable for the purpose it was collected.
- Access. Individuals have a right to access any data held on them and make modifications to, correct, or delete inaccurate information.
- Security: Reasonable efforts must be made to prevent loss or unauthorized access of collected data.
- Enforcement. Effective procedures to enforce all rules regarding data privacy must be internally in place.
EU-U.S. Privacy Shield
On February 2, 2016, the EU Commission announced the EU-U.S. Privacy Shield, which is to replace Safe Harbor as the annual self-certification process by which U.S. companies comply with EU data privacy standards through the U.S. Department of Commerce. The Privacy Shield retains the seven principles of safe harbor, but strengthens them by adding four additional areas of compliance:
- Stronger obligations on companies enhanced by robust enforcement. All companies will be obligated to make privacy policies transparent, including by displaying their privacy policy on the website and tightening conditions under which forward transfers of data are allowed. In addition, oversight mechanisms must be put in place to ensure companies abide by the rules, including U.S. sanctions for lack compliance.
- Safeguards and transparency in regard to U.S. government access to data. U.S. authorities are prohibited from indiscriminate or mass surveillance. Any access to personal data by public authorities will be subject to clear limitations, safeguards, and oversight mechanisms. Companies will report an approximate number of requests for data.
- Greater options for redress with companies. All complaints about data use must be responded to within 45 days. Alternative dispute resolution must be made available free of charge. Complaints not resolved in a timely manner will be investigated and dealt with by the U.S. Department of Commerce and the FTC. A Privacy Shield Panel will be convened as an arbitration mechanism of last resort, in order to ensure an enforceable solution.
- Joint monitoring mechanisms. An annual review of Privacy Shield commitments will be conducted jointly by national intelligence experts from the U.S. and European Data Protection Authorities and will be publicly published.
Evolving EU Data Privacy Legislation
Concerns over data privacy are ever-evolving, especially as more data is collected and the means of collecting such data continue to advance. The Privacy Shield has yet to be fully vetted, and it is likely to change as time goes on. Companies collecting the data of EU community members should be careful to stay on top of developments in EU data privacy law. If you are not sure whether or not your company is living up to current EU privacy regulations, it may help to speak with a qualified privacy attorney.
FAQ
What is the Judicial Redress Act?
The Judicial Redress Act gives EU citizens access to U.S. courts to enforce privacy rights related to personal data transferred to the U.S. for law enforcement purposes. Essentially, the Judicial Redress Act provides EU citizens the same rights available to U.S. citizens under the 1974 Privacy Act.