EU-US Privacy Shield—Business Considerations for US Companies Doing Business in the EU

Since the European Commission’s Directive on Data Protection went into effect in October 1998, United States companies that conduct business in Europe have had to be considerate of the EU’s stringent data privacy laws. For a significant period of time, these companies were able to avoid liability for breaches of EU privacy law by relying on the US-EU Safe Harbor, which permitted transfers of personal data controlled in the EU to the US as long as participants complied with principles similar to those in the EU Data Protection Directive.

However, in October 2015, the European Court of Justice invalidated the Safe Harbor, and did not offer any alternatives in its place. Fortunately, the aura of uncertainty ended this month, with the announcement of the new EU-US Privacy Shield. While the details of this new directive have not yet been published, it is expected to retain many of the main elements of Safe Harbor, and add additional safeguards to further protect the personal data of EU citizens.

Before a US company that does business in Europe begins worrying about the US-EU Privacy Shield, it must first determine whether it is required to comply with EU Privacy Laws in the first place.

The European Commission’s Directive on Data Protection applies to all “data controllers” that process or store personal information of EU citizens. In order to be considered a “data controller,” a company must have some sort of physical presence in the EU. This physical presence can mean having an office or server located in the EU, or in some cases this threshold can be reached simply by leaving cookies on an EU user’s computer when he/she visit a website. If a party doesn’t meet this definition of having a physical presence in the EU, then it would not be forced to comply with EU data privacy laws. In addition, if a company does not collect the personal information of users in the EU, it similarly would not be bound by these laws.

Assuming that a company is considered to be a data controller, there are a limited number of options for avoiding use of the EU-US Privacy Shield. Many of these options are infeasible or simply not accessible to most companies, such as using the EU Standard Clauses, or implementing Binding Corporate Rules. One option to consider, however, is affirmative consent. If an EU user affirmatively consents to the transfer of their data outside of the EU, then a company can avoid liability for EU data privacy laws without having to worry about the EU-US Privacy Shield. However, this affirmative consent must be received every single time that data is collected from the EU user, and consent can be revoked at any time. Accordingly, this method may be impractical if a company is collecting a large amount of data from EU users.

If a company would be considered a data controller in the EU, and it would not be practical to obtain affirmative consent every time that it collects data from an EU user, then that company must evaluate how the EU-US Privacy Shield affects is data collection, transfer, and storage procedures.

EU data privacy law is complex and ever-evolving. That is why it is so important to consult with attorneys with experience in EU data privacy compliance before starting to do business in the EU.