The Pitfalls of Overlooking European Union Privacy Laws

By now, every U.S. company should understand the importance of protecting private data. Indeed, even companies not subject to the privacy and security laws governing regulated industries such as health care and finance are taking data security seriously, perhaps in reaction to the numerous recent high-profile data breaches that continue to make headlines.

But are U.S. companies taking adequate steps to safeguard the private information of European Union (EU) citizens? Not according to a recent complaint filed with the Federal Trade Commission (FTC). The Center for Digital Democracy (CDD) submitted a request asking the FTC, the U.S. agency charged with overseeing the U.S.-EU Safe Harbor Framework (Safe Harbor), to investigate the practices of more than 30 U.S. companies accused of possible violations of Safe Harbor. The CDD, a self-described nonprofit, nonpartisan organization that is “dedicated to promoting responsible use of new digital communications technologies,” has alleged, among other things, that 30 U.S. data brokers may have violated Safe Harbor by omitting in their mandatory disclosures to EU consumers important information about the data practices under which personal information is processed.

In EU countries, the protection of personal information is deemed to be a “fundamental right” of EU citizens and guaranteed by every EU member state’s laws. The European Commission’s Directive on Data Protection (Directive), which went into effect in 1998, generally prohibits the transfer of personal data to non-EU countries that do not meet the EU adequacy standard for privacy protection.

This is significant for U.S. companies because the EU generally has more stringent data privacy laws than the U.S., due to the differing approaches to privacy protection. The U.S. uses a sectorial approach that relies on a patchwork of state and federal legislation, regulation, and self-regulation. In contrast, the EU has implemented comprehensive legislation that requires, among other things, the creation of a single agency in each EU country called the Data Protection Authority (DPA). This organization is responsible for the enforcement of information privacy laws, registration of databases, and in some instances, prior approval before personal data processing may begin. The U.S. does not have a single DPA, instead opting for a number of agencies that regulate privacy depending on jurisdiction or industry sector. Because of these differences, the Directive could have substantially hindered the ability of U.S. companies to engage in cross-Atlantic transactions.

To help U.S. companies meet the Directive’s adequacy requirement, the U.S. Department of Commerce developed Safe Harbor, which was approved by the European Commission (EC) in 2000. Approval was not unconditional and was not without controversy among the various actors within the EC. In fact, the EC may revoke its approval of Safe Harbor anytime. Despite these issues, however, Safe Harbor remains available to U.S. companies.

Safe Harbor currently allows U.S. companies to voluntarily self-certify their compliance with EU data privacy laws, and thereby avoid business interruptions in transactions with EU companies. Indeed, there are numerous benefits to U.S. companies participating in the Safe Harbor program. First, U.S. companies participating in the Safe Harbor program are deemed able to provide adequate privacy protection, and all member states of the EU are bound by that finding. In addition, claims brought by EU citizens against U.S. participants in Safe Harbor will be heard in the U.S., subject to limited exceptions. Also, compliance requirements are streamlined and cost-effective, which should be particularly beneficial to small- and medium-sized businesses.

Participants in the Safe Harbor program must comply with seven privacy principles:

1. Notice: Individuals must be notified about the purposes for which information is collected and used about them; how individuals can contact the company with any inquiries or complaints; and the types of third parties to which the company discloses information and the choices and means the company offers for limiting the use and disclosure of the information.
2. Choice: Individuals must be given the opportunity to opt out of having their information disclosed to a third party or used for a purpose different from the purpose for which it was originally collected.
3. Transfers to Third Parties: To disclose information to a third party, companies must adhere to the notice and choice principles. If the transfer is to an agent, the company must ensure that the third party adheres to the Safe Harbor privacy principles or is subject to the Directive or another adequacy finding. Alternatively, the company could enter into a written agreement with the third party whereby the third party is obligated to provide at least the same level of privacy protection as required by the Safe Harbor privacy principles.
4. Access: Subject to certain exceptions, individuals must have access to personal information about them that the company holds in order to be able to correct, amend, or delete information that is inaccurate.
5. Security: Companies must take reasonable precautions to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
6. Data Integrity: Personal information must be relevant for the purposes for which it was collected, and companies should take reasonable steps to ensure that data is reliable for its intended use and that the information is accurate, complete, and current.
7. Enforcement: An affordable and independent enforcement mechanism must be readily available to investigate and resolve complaints and award damages. Companies also are required to provide annual self-certification letters or they may lose their Safe Harbor benefits.

Whether the FTC will take action on the CDD’s request for an investigation remains to be seen. It should be noted that last year, the EC indicated its approval of Safe Harbor might be revoked or amended due in part to concerns that EU privacy laws are not being effectively enforced. In response to these concerns, FTC Commissioner Julie Brill told the European Institute in a panel discussion that the FTC “vigorously enforces” Safe Harbor and that the FTC will continue to make Safe Harbor a “top enforcement priority.” She noted that since 2009, the FTC has brought 10 Safe Harbor cases against U.S. companies, including Google, Facebook, and Myspace. Indeed, according to Commissioner Brill, the FTC assessed a civil penalty of $22.5 million against Google for violating a consent decree.

Given the FTC’s stated commitment to enhancing Safe Harbor enforcement, U.S. companies participating in the Safe Harbor program may expect heightened scrutiny. Therefore, they should not take lightly their obligation to comply with EU privacy laws. Safe Harbor participants also should monitor developments in the Safe Harbor program for any changes that may occur as a result of actions that the EC may take to address its concerns with U.S. enforcement.