International Communiqué: Global Privacy Protection - How to Comply with European Rules
The privacy laws of Europe and the United States are not the same. In general, European law requires that companies safeguard personal information, and not use or release it without the individual's express consent. The US, by contrast and with important exceptions, generally takes an "opt-out" view – unless an individual expressly directs that personal data not be used or shared with third parties, a company may do so. This is coupled with an emerging consensus that consumers have the right to choose how much of their data might be used or shared, with an implied consent if the person does not affirmatively indicate the desire that the data not be so used or shared. The "opt-in" rules of Europe and the "opt-out" rules of the United States are oversimplifications. But they represent a basic difference in starting point for how the privacy of personal information is viewed.
The European Union's Directive on Data Protection was issued as a mandate to EU countries in 1998. To implement this Directive from Brussels, EU countries enacted "opt-in" laws that forbid the transfer of most personal information about individuals without their express consent. EU country laws generally do not protect corporate or non-personal information, but treat as confidential almost all personal information, including addresses, birth dates, purchasing patterns and financial information. The European approach is a system of central government control. This contrasts with the highly decentralized US approach. With notable exceptions (medical records covered by HIPAA; financial institution records per FDIC and other regulations), privacy matters in the US are left to self-regulation or state law. Because of this, Europe does not consider the United States to be a country that adequately protects personal information. Because European laws forbid transfers of personal data to third countries that do not protect private personal information to the same extent as Europe, this creates potential liability for US and European businesses in their sharing and use of personal data. This issue affects businesses of all sizes, ranging from the small US company with three employees in Paris to a US credit card management company that processes millions of transactions for European customers.
Europe offers a "safe harbor" approach to individual US companies to avoid liability and to comply with EU requirements. A US company that wants to obtain and use data about EU persons can commit to the same "opt-in" approach for EU personal data as it would have to respect if it were operating in Europe. The voluntary US-EU safe harbor program was adopted by about 130 US companies in its first year. 1,840 US companies have self-certified under the US safe harbor program as of June 2009. These companies commit to "opt-in" EU principles in their handling of EU persons' data, and subject themselves to voluntary private enforcement procedures and regulatory oversight by the US Federal Trade Commission (FTC) that would not otherwise be required. Financial services, transportation and other companies that are not under FTC supervision are excluded from the program.
There are other ways for companies to comply with EU rules in handling data flow of European personal information. First, transfers of data are permitted that are necessary on substantial public interest grounds or in aid of defense of the legal rights of the holder of the data (e.g., for litigation in the US). A "vital interest" exception allows data transfers about EU individuals to protect their health or safety (medical information given to a US doctor treating a European patient).
Second, two sets of model contract clauses have been approved by the EU, as alternatives to safe harbor. Companies that adopt and use them may receive and transfer data involving Europeans. Introduced in June 2001, the first set of approved model contract clauses embrace similar principles to the safe harbor program:
- specified limits on data usage, disclosure and retention
- insistence that data be updated, accurate and limited to the purpose specified
- required disclosure of how the data will be used or shared
- adequate confidentiality and security controls
- limits on further disclosures, and
- an express opt-out option from marketing personal information.
The EU adopted a second set of model contract clauses on April 1, 2005. These clauses provide an alternative to the 2001 clauses. Companies can choose between these contractual alternatives. The biggest difference between the first and second set of clauses is the lack of joint and several liability between the EU exporter and third country importer of personal data under the 2005 clauses. Under the newer clauses, an EU citizen can sue data exporters and importers only for damages each party separately caused. Another benefit provided by the alternative clauses is flexibility. The 2005 clauses allow for updating factual information into the clauses and for additional commercial clauses to be included.
While the alternative clauses provide some benefits over the 2001 set, there are also risks. Companies that employ the 2005 clauses subject themselves to EU regulators, laws and courts. EU privacy regulators have the power to terminate data flows that they find unlawful or non-compliant. The possibility of data flow and business interruptions should be carefully considered before adopting the alternative clauses. Moreover, data importers agree to provide proof of financial resources and audits of facilities to determine compliance under the laws of the exporter's country. Companies that import data from countries with an aggressive enforcement history should carefully consider the risks before using the alternative clauses.
Adopting model contract language should not be done without understanding the legal and practical implications. Some EU countries require that contracts be deposited with their central authority, or no protection is available. Companies run the risk of revealing confidential information about their businesses if they are compelled by regulators to disclose privacy contracts or other documents. For this and other reasons, it is thought that model contract language has been used less than the safe harbor approach.
Each EU country is free to adopt and enforce its own privacy rules (as long as they are consistent with and no less protective than the EU Directive). This means that US companies that have significant personal data flows from particular European countries should check compliance against not only the EU Directive (and the safe harbor or contractual approach) but also against any particular rules of the countries from which data is being obtained. Enforcement has been spotty, but there have been high-profile casesthat were costly and embarrassing to the companies involved.
Frost Brown Todd's Privacy and Information Security Law service team assists companies in meeting the differing and evolving rules that affect global business. Through MULTILAW, one of the world's leading associations of independent law firms and otherwise, we assist companies in their compliance with global privacy laws.