By: Robert Hawn
As a business attorney practicing in the San Francisco Bay Area working with start-up companies , I often represent companies which are pursuing market opportunities in the European Community. Many of these companies, especially “software as a service” companies, offer apps and other services which process data and personal information of individuals who live in Europe. As a result, these companies are required to comply with European Union directed privacy laws. Up until recently, complying with these laws was possible by taking advantage of a “safe harbor” that allowed US companies to process personal data of individuals in EU member countries.
Last October, a European Union Court threw into disarray this “safe harbor,” and invalidated this relatively long standing information sharing framework. Since then, many companies receiving information from EU country citizens have operated in an uncertain environment regarding privacy matters. A ray of hope arose, however, in the last few weeks with the adoption of a new approach to enable U.S. companies to gather European originated personal data.
A Little History
The European Community has traditionally been highly protective of the personal information of the citizens of its member states. This has often clashed with the relatively more business oriented approach taken in the United States. This conflict, and the highly protective privacy rules of the EU, made it almost impossible for US companies to comply with EU related rules when dealing with personal data of EU citizens. In the early 2000’s, the United States and the EU agreed on a self-certification framework, referred to as the “ Safe Harbor Privacy Principles,” to allow personal data to be transferred to US companies. The Safe Harbor allowed a U.S. company to self-certify that its privacy practices satisfied certain enumerated standards.
Last October, the European Court of Justice held that the Safe Harbor was invalid because, among other things, the revelations by former National Security Agency contractor Edward Snowden showed that U.S. authorities could access EU citizen data in the U.S., and that there was no means for redress. Without the Safe Harbor, only expensive and time-consuming approaches under the EU directives were available for those U.S. companies that wanted to comply. Most commentators believe these alternate approaches may be available to larger companies, but won’t be available, at least quickly and economically, to smaller emerging growth companies. They fear that lack of easy compliance will prevent small and emerging growth companies from expanding their operations into Europe.
On February 2, 2016, a new framework was announced by the U.S. and European Union to replace the Safe Harbor. The announcement released by the European Commission states that the new framework, referred to as the “EU-US Privacy Shield” will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans. It also requires stronger monitoring and enforcement by the U.S. and increased cooperation with European Data Protection Authorities. Access to European citizen data will be subject to clear conditions, limitations, and oversight to prevent “generalized access”, according to the announcement. The U.S. will also be required to appoint an Ombudsperson to receive inquiries or complaints from European citizens. Formal adoption by the EU, and implementation by the U.S., will likely occur over the next few months.
Implications
There are a number of implications, particularly for smaller companies. First, the Privacy Shield will likely be more difficult to comply with than the Safe Harbor, resulting in relatively more resources being devoted to protection of personal data from European citizens. Second, the trend of companies maintaining servers in the EU to manage European citizen data will probably continue, if not accelerate. Third, more companies will explore anonymizing their EU-originated data before it is transferred to the US. Fourth, until the Privacy Shield is implemented, there will continue to be a great deal of uncertainty over how personal data can be transferred to the U.S.
What’s a small U.S. company to do?
Pending clarification from our friends in the European Union, there are two actions that can be taken now. First, from a legal standpoint, make sure your privacy policy is updated, i.e., it reflects your current practices. Second, from a practical standpoint, make sure that you consider all of your privacy practices and ask yourself whether you would be irritated if your own personal information were treated in a similar manner.
The information appearing in this blog does not constitute legal advice or opinion. Such advice and opinions are provided by the firm only upon engagement with respect to specific factual situations. Specific questions relating to this article should be addressed directly to Strategy Law, LLP.