Going Global? You better make sure you are up on data privacy laws

Brett Johnson//December 5, 2016//

Listen to this article

Why unearth all the muddy details of data privacy laws in the European Union?

Well, Laurence Smith, an attorney at Chiesa Shahinian & Giantomasi, said that, for as much a can of worms as it sounds — the many safeguards afforded to the information of residents in the 28 member states of the EU — there are very tangible reasons to dig into that regulation.

It’s the type of issue that can, and has, gotten a company into hot water, he said.

“When a New Jersey company wants to expand abroad, there’s an added burden imposed on the potential to transfer data from the EU to the United States,” Smith said. “There’s just not a widespread understanding of these responsibilities. … But there are stiff penalties.”

What the protections have going for them in terms of their ability to be understood is that they come in the form of an overriding law — one that generally forbids European firms or those based there from transferring any form of personal data about residents to overseas jurisdictions with less strict privacy laws.

Smith said the U.S., by contrast, structures its rules on data sharing around a patchwork of industry regulations, such as those that exist in the medical field or the financial sector.

Private issues
Here’s a sampling of some of the enforceable commitments companies are asked to make under the new EU-US Privacy Shield framework:

Businesses are obliged to provide information to customers on a number of key details relating to the processing of their personal data, such as the type of data that’s being collected.
Companies may not process data in a way that is incompatible with the purpose it told the customer it was collecting it for.
When the purpose is different — even if it’s still compatible with the original purpose — a customer can then opt out of the data collection.
Companies must secure customer data under security measures that are deemed “reasonable and appropriate,” taking into account the risks involved in the processing and the nature of the data.

Working against a more widespread understanding of EU data privacy law is the fact that it’s liable to change by the day.

Late last year, a pact referred to as Safe Harbour between the EU and the U.S. was eliminated in the wake of leaks about global surveillance programs. Safe Harbour allowed U.S. companies that were storing customer data to self-certify that they adhered to a set of seven principles, thus clearing themselves to share certain information abroad.

“When it was struck down, it caused a tremendous upheaval and a lot of uncertainty for (local companies) with an EU presence,” Smith said.

In its place recently came the EU-US Privacy Shield framework, which is a similar system of self-certification that has firms making commitments that are enforceable under U.S. law.

And while the new framework has, for now, cleared up trans-Atlantic data flow, it’s currently being challenged before the European courts.

Adding to the potential uncertainty is this year’s Brexit vote, with which the United Kingdom started on a path of renouncing its EU membership.

Smith said U.K. decoupling from the EU isn’t expected to have a huge impact on the status of data privacy protections there, in spite of the move’s trade implications.

For now, U.S. companies can expect to continue to make big commitments to securing the information of any residents across the pond.

“Part of the European respect for personally identifiable information traces back to World War II and the way that individual privacy was trampled on during the war,” Smith explained. “So it’s likely to remain a big part of doing business there.”

E-mail to: [email protected]
On Twitter: @reporterbrett