Why unearth all the muddy details of data privacy laws in the European Union?
Well, Laurence Smith, an attorney at Chiesa Shahinian & Giantomasi, said that, for as much a can of worms as it sounds — the many safeguards afforded to the information of residents in the 28 member states of the EU — there are very tangible reasons to dig into that regulation.
It’s the type of issue that can, and has, gotten a company into hot water, he said.
“When a New Jersey company wants to expand abroad, there’s an added burden imposed on the potential to transfer data from the EU to the United States,” Smith said. “There’s just not a widespread understanding of these responsibilities. … But there are stiff penalties.”
What the protections have going for them in terms of their ability to be understood is that they come in the form of an overriding law — one that generally forbids European firms or those based there from transferring any form of personal data about residents to overseas jurisdictions with less strict privacy laws.
Smith said the U.S., by contrast, structures its rules on data sharing around a patchwork of industry regulations, such as those that exist in the medical field or the financial sector.
Here’s a sampling of some of the enforceable commitments companies are asked to make under the new EU-US Privacy Shield framework:
Working against a more widespread understanding of EU data privacy law is the fact that it’s liable to change by the day.
Late last year, a pact referred to as Safe Harbour between the EU and the U.S. was eliminated in the wake of leaks about global surveillance programs. Safe Harbour allowed U.S. companies that were storing customer data to self-certify that they adhered to a set of seven principles, thus clearing themselves to share certain information abroad.
“When it was struck down, it caused a tremendous upheaval and a lot of uncertainty for (local companies) with an EU presence,” Smith said.
In its place recently came the EU-US Privacy Shield framework, which is a similar system of self-certification that has firms making commitments that are enforceable under U.S. law.
And while the new framework has, for now, cleared up trans-Atlantic data flow, it’s currently being challenged before the European courts.
Adding to the potential uncertainty is this year’s Brexit vote, with which the United Kingdom started on a path of renouncing its EU membership.
Smith said U.K. decoupling from the EU isn’t expected to have a huge impact on the status of data privacy protections there, in spite of the move’s trade implications.
For now, U.S. companies can expect to continue to make big commitments to securing the information of any residents across the pond.
“Part of the European respect for personally identifiable information traces back to World War II and the way that individual privacy was trampled on during the war,” Smith explained. “So it’s likely to remain a big part of doing business there.”
E-mail to: [email protected]
On Twitter: @reporterbrett