Data protection is a priority in the EU and much more strictly regulated there than in the United States. While the US uses a sector specific approach to data privacy (e.g. HIPAA, COPPA, etc.), the EU recognizes data protection as a human right and regulates data protection across all sectors. For many US companies, complying with EU regulations and local rules in EU member states is prohibitively complex and costly. To address this issue, the US and EU negotiated a framework allowing American companies to certify compliance with basic data protection principles. This framework, formerly known as Safe Harbor and soon to be replaced by the EU Commission’s “Privacy Shield” does reduce the compliance burden for US companies, but certification alone does not sufficiently ensure EU data protection compliance. In fact, under the recently-passed General Data Protection Regulation, data protection expectations for American companies have become still more strict.
EU data protection laws are in flux, making compliance a potentially difficult moving target. In the past few months, longstanding data protection laws have been replaced with stricter regulations. For example, the Data Protection Directive has been replaced by the General Data Protection Regulation (GDPR), and the old Safe Harbor compliance framework for U.S. companies is being replaced by Privacy Shield. Even these two new laws are likely to evolve over the next few years. In fact, Privacy Shield is already being challenged by privacy advocates in Europe, and American companies cannot fully rely on its continued validity.
Five Things Your Company Should Know About US-EU Data Protection Regulations
If your company is operating in the EU market, you must be aware of the GDPR and strictly follow its guidelines. There are five key elements each American company must keep in mind to make this possible.
-
The GDPR applies to all companies targeting or selling to EU citizens, not just EU companies. It’s easy to assume that just because your company doesn’t have a physical or significant presence in the EU that their laws don’t apply to you, but the text of the GDPR makes it clear that any interaction with EU consumer data brings your company under its jurisdiction. If your website collects data on EU citizens, your company must comply.
-
Privacy Shield certification is not sufficient for compliance. After the leaks by Edward Snowden, the European Court of Justice declared the old Safe Harbor principles of data protection to be insufficient to protect the interests of EU citizens. Privacy Shield has been proposed to replace these regulations for American companies, but even this is not finalized, nor is it necessarily enough to keep your company in compliance with all EU data protection laws. Like Safe Harbor, Privacy Shield includes a self-certification registration. However, it additionally obligates US companies to abide by Privacy Principles and to implement certain dispute resolution procedures. The best way to ensure that you are complying is to work with a privacy lawyer with international experience to implement policies consistent with the Privacy Principles and GDPR requirements. You’ll find that this long-term solution will better protect your company.
-
All data policies must be fully transparent, clear, and easy-to-find. Consumers have the right to easily understand when and how their data will be used. Your data privacy policy must be easy to understand and find on your website. The best way to make sure that your policies are clear is to write them in plain language—and minimize the data you collect strictly to the extent necessary for its purpose.
-
Consumer consent is key in the collection, processing, and storage of data. The main principle guiding all data protection regulations in the European Union is consent and personal control. Customers must not only consent to the collection and use of their data, but they must also consent to its “onward transfer.” This core value of consent extends to the right to revoke consent at any time, and your company must clearly describe policies for deleting personal information (required by EU citizens’ “right to be forgotten”) and how recovered data is held. In cases where children use your website, the rules require parental consent for data collection and restrictions on website usage by minors.
-
Sanctions for failure to follow EU data protection laws are severe— and both U.S. and EU authorities can hand them down under either the Privacy Shield or the GDPR. Under the GDPR, fines for failure to comply with any of the elements of EU data protection law can go as high as 4% of the business's total worldwide revenue for the previous year. In addition, the U.S. authorities can impose sanctions just as easily as EU authorities. These punitive measures have the potential to cripple any business. While the administrative costs of these directives may be high, it is not worth the risk of fines by ignoring any element of data privacy.
***
The EU market offers any company an amazing opportunity to expand its market-share and increase revenue, but operating in the EU requires careful compliance with EU laws, member state rules, and other community laws. Every American company should not only review their own data policies but should also review the policies of partners and third parties contracted to handle data, as well as appoint a qualified data protection officer or a chief privacy officer to oversee the execution of these policies. With the help of an experienced privacy lawyer, you can effectively manage your data compliance and protect your company from costly sanctions.