Three years after the European Union’s Directive on Data Protection (the “Privacy Directive”) took effect, and over a year after the US-brokered safe harbor program was introduced, uncertainties about European data privacy requirements continue among US businesses. This uncertainty has lead companies to adopt a range of different strategies for handling EU-origin personal information. With the implementation of the Privacy Directive now nearing completion, US companies need to decide how to address the EU’s privacy policies.
As discussed in our June 24, 1999 and April 18, 2000 Internet Alerts, the Privacy Directive requires the 15 European Union countries to enact laws to protect the privacy of personally identifiable information. All of the EU countries except France, Ireland and Luxembourg, have adopted laws that comply with the Privacy Directive.
The Privacy Directive mandates broad privacy regulations administered by a centralized government-administered data protection authority in each country. It rejects the US approach to privacy protection, which relies on a decentralized combination of federal and state laws, private industry associations and the market power of consumers seeking privacy protection. The Privacy Directive also requires EU countries to prohibit transfers of personal information to third countries – such as the US – that are deemed by the EU to lack adequate privacy laws.
US companies that need to obtain and use EU-origin personal information have several means for overcoming the EU’s adequacy requirement, depending upon why the information is needed and how it will be used:
Consent. The Privacy Directive generally allows personal data to be used and disclosed with the unambiguous consent of the individual to whom the data relates. This approach may be preferable for US companies that have direct relationships with EU individuals.
Contractual necessity. The Privacy Directive allows transfers that are necessary for the performance of a contract with the EU individual, or for pre-contractual measures taken in response to the individual's request. This approach may be preferable for US companies that engage in individual transactions with EU persons. The Privacy Directive also allows transfers that are necessary for the conclusion or performance of a contract concluded in the interest of the individual, such as the processing of a transaction or application submitted by the individual.
Public interest or legal claims. The Privacy Directive allows transfers that are necessary on important public interest grounds or to defend or exercise the legal rights of the holder of the data. This exception would allow transfers of information by EU entities that are involved in legal proceedings in the US
Vital interests. The Privacy Directive allows transfers that are necessary in order to protect the vital interests of EU individuals, such as matters affecting an individual’s health or safety.
Public data. The Privacy Directive allows transfers of information that is available from open, public sources.
Safe Harbor. The Privacy Directive allows transfers to US entities that are enrolled in the voluntary US-EU safe harbor program. A company’s voluntary compliance with the safe harbor principles is an acceptable substitute for adequate US privacy laws. This option is intended to appeal to US companies requiring large scale transfers of EU-origin personal information, when it is impossible or impractical to deal directly with the EU individuals. The safe harbor program is not presently open to financial services companies.
As reported in our February 14, 2001 Internet Alert, US companies have been slow to embrace the safe harbor program in light of other compliance options and uncertain enforcement. In the 13 months since the safe harbor program was implemented, only about 130 US companies have enrolled in the safe harbor program. Although the safe harbor requires companies to voluntarily submit to private enforcement procedures and a level of federal regulatory oversight that would not otherwise occur, self-certifying companies have apparently concluded that the safe harbor merely formalizes the types of privacy practices that their businesses require.
Model Contract Clauses. The Privacy Directive allows transfers of information to entities that have contractually agreed to observe certain minimum privacy protections. Many US companies hesitated to enroll in the safe harbor while the EU’s model contract clauses were being developed. The model contract clauses, were introduced in June 2001, and impose requirements that are at least comparable to the safe harbor, including: mandatory limitations on the purposes of any use, disclosure, or retention of personal information; requirements that the information be accurate, up to date, and limited to what is needed for the specified purpose; disclosures regarding how the information will be used by the US recipient; appropriate security and confidentiality safeguards; limitations on further disclosures, or “onward transfers,” by the US recipient; and an opt-out option from marketing uses of personal information.
Significantly, the model contracts also provide that US data importers shall be jointly liable with EU data exporters for damages suffered by individuals in the event of a breach of privacy. In addition, the contracts must be entered into on a party-by-party basis, rather than the one-time certification under the safe harbor. Furthermore, some countries may require that the contracts be deposited with the national data protection authority. Consequently, the model contracts have not proven to be a popular alternative to the safe harbor. On December 4, 2001, the EU proposed less-restrictive model contract clauses, for transfers to entities that merely process limited EU data as contractors subject to the continued direction and oversight of an EU data controller.
US companies may soon have to decide how they propose to handle EU-origin personal data. In connection with the negotiation of the safe harbor, the EU agreed to an enforcement moratorium, or “standstill,” that was to end in June 2001. The EU then indicated that the standstill would remain in place for an unspecified period as the EU completed a review of Privacy Directive implementation issues. More recently, some EU officials have reportedly stated that EU member countries are now free to use their own discretion in enforcing their privacy rules. So far, there have been only a few relatively minor privacy enforcement actions, and there is no indication that more aggressive enforcement is imminent.
With privacy laws in place in most EU countries, and both the safe harbor and model contracts available to US companies, there are no plans for adding any new ways to help US companies comply with the Privacy Directive. Although enforcement remains spotty, more US companies are looking to the safe harbor as an imperfect – but least burdensome – route for obtaining personal data from EU countries.
European Union materials © European Communities 1995-2001.