Personal Data Transfers
Bénédicte Raevens and Kevin Pomfret
Bénédicte Raevens is partner to the Brussels, Belgium office of McGuireWoods and Kevin Pomfret is partner to the Richmond, Virginia office of McGuireWoods.
March 2006, Inside Supply Management® Vol. 17, No. 3, page 36
Failure to comply with personal data transfer laws with the United States' largest trading partner, the European Union, could result in a disruption of business operations and civil penalties. Learn how to best transfer names, digital fingerprints, social security numbers and other critical data.
Every day personal data is exchanged between the European Union (EU) and the United States in the course of business. Examples include HR data shared between a European subsidiary and its U.S. headquarters, or credit card information when a customer in the EU purchases goods or services online from a U.S. company. It's crucial for U.S. businesses to understand the personal data transfers regimes in countries in which they do business.
The EU Versus U.S.
The EU tackles personal data protection in a comprehensive way, so that the EU legislation covers all sectors and virtually all types of personal data. The United States, while moving slowly toward broad federal legislation, still addresses personal data security through a combination of industry self-regulation, state law, and in a few cases, federal laws and regulations.
The EU Directive on the protection of individuals with regard to the processing of personal data and the free movement of such data (the Data Protection Directive or DPD) was developed to harmonize the national provisions of the 25 EU Member States in this field. Under the DPD, companies that process data on their clients and employees are required to observe:
- Fair and lawful processing
- Collection for explicit and legitimate purposes
- Accuracy of the data
- Right of access for data subjects
- Notification of processing to the national supervisory authority
- Appointment of an independent officer in charge of data protection
The definition of processing includes collection, organization, recording, storage, alteration, consultation, use, transmission and destruction of personal data. Moreover, personal data may be processed only in a limited number of circumstances. Processing is permitted (i) if the data subject has unambiguously given consent; (ii) when the data processing is necessary for the performance of a contract involving the data subject (e.g., for billing purposes or relating to an applicant for a job or a loan); (iii) if required by a legal obligation (e.g., obligation of the employer to make employee records available to the authorities); or (iv) if it is necessary to protect the data subject's life (e.g., blood tests of the unconscious victim of a road accident), etc. In addition, the data subject must be informed of any data processing concerning him/her, have access to his/her personal data and have the opportunity to correct any errors. Furthermore, more stringent rules apply to personal data revealing racial or ethnic origin, political opinions, religious beliefs, health or sexual orientation.
The DPD provides that personal data may only be transferred from an EU entity to non-EU countries if the latter guarantee an "adequate" level of protection consistent with the DPD. The adequacy requirement is granted by assessing the data protection laws and the international commitments of the country in question. Where a non-EU country does not ensure an adequate level of protection, the DPD requires the blocking of data transfer.
Currently, the EU has found that Argentina, Canada and Switzerland provide adequate protection; the United States, due primarily to the lack of comprehensive federal legislation, does not grant adequate safeguards. Therefore, in order to receive personal data from the EU, a U.S. company must qualify under one of the following exceptions: DPD, Safe Harbor Principles or Standard Contractual Clauses.
Exceptions in the Directive
The DPD permits the transfer of personal data from the EU to U.S. companies without further requirements in certain circumstances. For example, transfer is permitted when the data subject has given his/her unambiguous consent to the proposed data transfer. Another example is when the transfer is necessary for the performance of a contract between the data subject and the person responsible for the data processing.
Safe Harbor Program
U.S. companies that comply with the Safe Harbor Principles — developed by the U.S. Department of Commerce, together with the EU authorities, industry and non-governmental organizations — can receive personal data from the EU. The Safe Harbor Principles are modeled on the DPD. Adherence to the Safe Harbor Principles is voluntary; participating companies must comply with the Safe Harbor's requirements and self-certify annually. Failure to comply after self-certification can result in civil penalties. Moreover, the EU privacy authorities may suspend data flows to a Safe Harbor entity if it appears that it has violated the Principles.
However, the EU requires that a U.S. public body have the authority to enforce noncompliance with the Safe Harbor Principles after self-certification. Because only the Federal Trade Commission (FTC) and the Department of Transportation (DOT) are currently recognized as enforcement bodies by the EU, only U.S. organizations that are subject to the jurisdiction of the FTC or U.S. carriers and ticket agents subject to the jurisdiction of the DOT may participate in the Safe Harbor program. Therefore, sectors such as telecommunications common carriers, banks, credit unions and non-profit-organizations are currently not eligible for the Safe Harbor Principles.
The DPD also provides that the EU data exporter and the U.S. data importer may contractually agree to sufficient safeguards with regard to personal data protection. To this end, the EU has provided model terms, commonly referred to as Standard Contractual Clauses (visit http://europa.eu.int/comm/justice_home/fsj/privacy/modelcontracts/index_en.htm). These Standard Contractual Clauses contain a legally enforceable declaration whereby both the data exporter and the data importer undertake to process the personal data in accordance with a number of data protection rules. In addition, the data subjects are granted rights under the contract to enforce the relevant provisions of the DPD. If Standard Contractual Clauses are used, the data transfer may occur without prior authorization. Nevertheless, the EU privacy authorities retain a power of control.
Companies intending to transfer personal data to a non-Safe Harbor U.S. entity without using either Standard Contractual Clauses or binding corporate rules may ask for a prior transfer authorization on a case-by-case basis. The authorization will be granted if specific contractual arrangements between the data exporter and importer ensure adequate safeguards with respect to privacy. However, U.S. companies should expect that the commitments required from the parties before granting the individual authorization will be very similar to those required under these other options.
The best choice among the various means of transferring personal data in compliance with the DPD will depend upon the type of personal data being transferred and the number of transfers that will occur. Before setting up personal data flows between a country in the EU and the United States, a U.S. company should be aware of both countries' legal obligations to ensure the smooth flow of business and the avoidance of penalties.
To contact the author or sources mentioned in this article, please send an e-mail to firstname.lastname@example.org.