What U.S. companies need to know about the evolving EU privacy rules
For the past 20 years, when U.S. companies needed to share employee information, collect consumer data, target advertisements, or complete e-commerce transactions, they were able to avoid strict penalties and cumbersome data transfer rules required by the European Union (EU) Data Privacy Directive (the Directive). Now, both U.S. companies and EU citizens are in limbo about what is happening with their data.
In 1995, the European Commission passed the Directive, which regulated the transfer outside the EU of EU citizens’ personal information. Under the Directive, personal data of EU citizens may only be transferred to a non-EU country if that country provides an adequate level of data security regulation. Soon after the Directive was implemented, certain countries were given a “safe harbor” designation, signaling that those countries’ standard security procedures appropriately safeguarded personal information. However, concerns over U.S. government mass surveillance and the lack of a comprehensive federal data security law in the United States triggered the European Court of Justice to boot the United States off the safe harbor list in October 2015. This move exposed U.S. companies to the risk of significant penalties from the European Commission, especially if those companies had European operations or EU citizens as customers or employees, or used software that hosted data remotely.
The target keeps moving for U.S. companies, however. The EU recently released a new regulatory framework that will replace the Directive. The EU’s General Data Protection Regulation (GDPR) applies to all businesses handling consumer data of EU citizens and will become enforceable in 2018. The GDPR also carries with it significant fines: Even for inadvertent noncompliance, a company may be fined up to 4% of its global revenue.
Fortunately, the United States recently clarified the safeguards and limitations of the U.S. surveillance program, prompting the drafting of the EU-US Privacy Shield, an agreement with the EU that will once again permit a safe harbor regarding legal transfers of EU citizen data to and through the United States, even under the new GDPR. This privacy shield will likely include specific requirements for U.S. companies that handle EU citizens’ personal data, additional monitoring of companies by the U.S. Department of Commerce and the Federal Trade Commission, and increased visibility and enforcement of European complaints of misuse of personal data. Moving forward, the United States has pledged to create a division within the U.S. Department of State to oversee EU data protection agencies’ complaints. There will also be an alternative dispute resolution mechanism to resolve grievances and a joint annual review of the accord.
However, the plan the EU and United States have negotiated still must be ratified by the EU once it is finalized. Because these developments are constantly evolving and significantly affect almost any e-commerce transaction, employment of EU citizens (even by American companies), and the liability considerations of any technology solutions that store or use personal information, U.S. businesses of all sizes and in all industries should consult trusted counsel and consider new ways to mitigate risks that may be posed by the changing privacy rules.
Ariane Strombom is an attorney with the law firm of Whyte Hirschboeck Dudek S.C. who practices in the areas of technology law and corporate transactions, and co-leads the International Transactions Team. She can be reached at astrombom@whdlaw.com.
Click here to sign up for the free IB ezine – your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
