Noncompliance with New EU Data Privacy Rules can be Costly

with contributing author Kyle Petersen

On October 6, Europe’s highest court, the Court of Justice of the European Union, struck down the “Safe Harbor Framework,” which existed between the United States and the EU for 15 years. This has an impact on companies collecting or processing personal data in EU nations for use in the United States. The Framework provided a method for over 4,000 U.S. companies to transfer personal information outside the European Union consistent with the EU’s strict Data Protection Directive. The Directive establishes the rules for protecting Europeans’ privacy rights. To take advantage of the Framework, U.S. companies have self-certified compliance with EU standards to the Department of Commerce.

The European court struck down this longstanding business arrangement after Austrian privacy activist Max Schrems alleged his personal information transmitted via Facebook or stored on Facebook’s servers in the U.S. was not, in fact, safe from intrusion from the prying eyes of the U.S. government. Schrems’ lawsuit arose after Edward J. Snowden, former contractor for the National Security Agency, divulged that American intelligence agencies were freely accessing data held by Facebook or transferred by emails and other means between the EU and the U.S. The European high court agreed, holding that U.S. government actions invalidated the “Safe Harbor” provisions.

As a result, many multinational organizations, large and small, must now obtain prior approval from each EU member nation where the company has customers, suppliers, employees or other relationships with EU residents who provide personal information, including names, contact information or other “personally identifiable information” ranging from membership in clubs or trade unions to names of family members, insurance coverage, banking relationships, religious affiliation, employment information and a host of other personal details. Entities engaged in collecting or processing any personal information from residents of an EU member nation are required to register as “data controllers” in each EU country where they do business or collect personal information. Failure to adhere to these European privacy norms can lead to investigations by data protection agencies and fines in the tens of thousands of dollars. In addition, Europeans tend to be highly protective of their privacy and often reject companies that ignore traditional EU-mandated privacy protections.

How to ensure compliance with international data protection laws

If there are concerns about your organization’s continuing capacity to carry on transglobal business arrangements in light of this new EU ruling and to ensure compliance with international data protection laws, contact a lawyer qualified to draft the appropriate documentation for submission to EU data protection agencies to obtain “registration” or “notification” for data collection and transmission strategy and practices with those national agencies.

To establish compliance and rights to receive and transmit personal information, a lawyer will:

• Prepare written transborder transfer agreements between European and American entities
• Prepare “Informed Consent” agreements for use when receiving personal information from European residents
• Counsel with the client in drafting “binding corporate rules” arrangements where advisable in order to satisfy European privacy agencies, which must approve of systems for transferring personal data beyond EU borders
• Prepare and submit applications for registration/notification, which must be approved by EU national data protection agencies. Many EU data protection agencies require applicants to submit for approval their transborder transfer agreements, Informed Consent Agreements and company privacy policies as part of the registration process.

Although the EU was the original privacy protection leader, many nations on multiple continents have now adopted unique laws restricting the collection of their citizens’ (and residents’) personal information.