Over the past six months you have probably been bombarded with data privacy articles, questions, and concerns regarding the European Union (“EU”). Given the sheer volume of material on the topic, it is difficult to figure out what you really need to know about the current state of data privacy and data protection in Europe. We saw the European Court of Justice strike-down the US-EU “Safe Harbor” agreement last October (which will likely be replaced with the new “Privacy Shield” agreement). We know that the EU recently approved a new EU-wide data privacy law. The hard part, however, is figuring out what it all means. This edition of “Ten Things” will try to sum things up in a useful way so when those questions and concerns come across your desk, you have some ready answers and a road map for the next steps you and your company need to take to ensure compliance with all of the changes in EU data privacy law:
Earlier this year I discussed data privacy essentials for in-house counsel (click here to read). The post discussed a number of basic data privacy issues, including the 2000 U.S.-EU Safe Harbor Agreement. The agreement allows U.S. companies that register and agree to its terms to legally transfer personal data from the EU into the U.S. The agreement was necessary because the European Commission (the “Commission”) determined that the U.S. did not have “adequate” data protection laws and, therefore, without such an agreement the ability to transfer personal data out of the EU and into the U.S. was limited due to provisions of Article 25(6) of the 1995 Data Protection Directive. The Safe Harbor Agreement remedied the problem by creating a mechanism under which U.S. companies could agree to apply core EU data protection principles to personal data and subject themselves to regulatory oversight by the Federal Trade Commission or the Department of Transportation.
Last week (October 6, 2015) the European Court of Justice invalidated the Safe Harbor Agreement. The court found that the agreement did not provide “essentially equivalent” data protection to EU citizens (primarily because of the then unfettered access to personal data by U.S. intelligence agencies under the PRISM program). The court also held that local Data Protection Authorities (DPAs) are empowered to independently assess whether a non-EU country provides adequate protection regardless of whether the Commission has already made such a determination that it does.
The result is a big mess regarding how companies that relied on the Safe Harbor Agreement can legally transfer personal data out of the EU and into the U.S. and how things will work in the future if DPAs can override a Commission decision on the adequacy of data protection in non-EU countries. This edition of Ten Things discusses some practical things U.S. companies should do next in light of last week’s development.