By Thomas Carey. Chair of our Business Practice Group
Imagine that you run a small software company that has developed point-of-sale software for amusement parks, zoos and other entertainment venues. You’re based in North Carolina with no overseas offices. If you think you need have no concern about European privacy law, you’d be wrong. That company, CenterEdge Software, is one of more than 4,500 US companies that have registered for the protection afforded by the US-EU Safe Harbor Program.
CenterEdge’s software is in use in Europe, it is used to collect information about individuals and the company’s exposure to EU law is significant. Similarly, many other US-based companies, such as cellphone app developers and websites that sell to EU customers, need to be aware of developments in EU privacy laws.
The right to privacy is explicitly recognized in the EU by virtue of the European Convention on Human Rights. The EU restricts the transfer of data about EU individuals to countries that do not ensure an adequate level of protection of that data. While a few non-EU countries have been designated as having an adequate level of protection, the United States has not.
This affects US companies that have operations in Europe or that process data about individual residents of the EU on behalf of European customers. For example, credit card processors, software companies, relocation companies, advertisers, financial institutions and service companies have all had to pay attention to EU data privacy regulations. Soon, the EU law will apply to anyone who directs sales activity to EU residents whether they have a presence in Europe or not.
There are ways for EU companies to transfer data to entities in countries like the United States that are deemed to have inadequate privacy protections. For example, the EU company can enter into contracts having the exact terms spelled out in so-called “Model Clauses” promulgated by the EU Commission. Another method is available for transfers between corporate affiliates if they enter into binding corporate resolutions. Another method involves obtaining the “unambiguous consent” of the individuals involved.
CenterEdge’s software is in use in Europe, it is used to collect information about individuals and the company’s exposure to EU law is significant. Similarly, many other US-based companies, such as cellphone app developers and websites that sell to EU customers, need to be aware of developments in EU privacy laws.
The right to privacy is explicitly recognized in the EU by virtue of the European Convention on Human Rights. The EU restricts the transfer of data about EU individuals to countries that do not ensure an adequate level of protection of that data. While a few non-EU countries have been designated as having an adequate level of protection, the United States has not.
This affects US companies that have operations in Europe or that process data about individual residents of the EU on behalf of European customers. For example, credit card processors, software companies, relocation companies, advertisers, financial institutions and service companies have all had to pay attention to EU data privacy regulations. Soon, the EU law will apply to anyone who directs sales activity to EU residents whether they have a presence in Europe or not.
There are ways for EU companies to transfer data to entities in countries like the United States that are deemed to have inadequate privacy protections. For example, the EU company can enter into contracts having the exact terms spelled out in so-called “Model Clauses” promulgated by the EU Commission. Another method is available for transfers between corporate affiliates if they enter into binding corporate resolutions. Another method involves obtaining the “unambiguous consent” of the individuals involved.
The US-EU Safe Harbor Framework
Construction. In 2000, the US and the EU adopted another way to permit data transfers to US entities: the US-EU Safe Harbor Framework. This arrangement was negotiated by the United States Commerce Department and the European Commission. Under that framework, a US company could certify its adherence to certain basic principles of EU privacy laws, designate a privacy officer to receive inquiries or complaints from EU citizens, and appoint a third party to hear privacy complaints of EU citizens who are not satisfied with the response from that privacy officer. Having taken those steps, the company could then be registered on a list maintained by the US Commerce Department. This procedure has been adopted by over 4,500 US companies.In negotiating the Safe Harbor Framework, the US insisted that the safeguards of the program be subject to an override in favor of investigations for purposes of law enforcement and national security. This US policy choice eventually led to the unravelling of the EU-US Safe Harbor.
Deconstruction. The first loose thread appeared in the fall of 2011, when a Facebook privacy lawyer addressed a class at the Santa Clara Law School. Max Schrems, an Austrian law student who was in the class, was surprised to see how badly Facebook underestimated the stringency of EU privacy law.
(Read the entire article)
