European Data Privacy: Beware of the Pitfalls
Until fairly recently, concern over data privacy has been a relatively low-profile issue among businesses that have come to rely increasingly on new forms of electronic communications and methods of conducting business and storing data via electronic means. This article provides an overview of the EU's Privacy Directive and alternatives to compliance, including the Safe Harbor adopted by the U.S. Department of Commerce.
Until fairly recently, concern over data privacy has been a relatively low-profile issue among businesses that have come to rely increasingly on new forms of electronic communications and methods of conducting business and storing data via electronic means. Yet in terms of their significance to businesses and consumers and the breadth of their many applications, data privacy issues and the diverse laws and regulations that have arisen to address related concerns impact in some fashion virtually every business. Among the areas where U.S. businesses may unintentionally but nevertheless routinely run afoul of such privacy concerns is compliance with the European Union’s (EU) Directive on Data Privacy (the Privacy Directive). This article provides an overview of the EU’s Privacy Directive and alternatives to compliance, including the Safe Harbor adopted by the U.S. Department of Commerce.
In 1995, the European Commission, the governing body of the EU, adopted the Privacy Directive, which required the 15 member states of the EU (Member States) to bring their laws into conformity with the terms of the Privacy Directive by late 1998. The Privacy Directive is not self-implementing, however, and even though the principles set forth in the Privacy Directive apply in all of the Member States, each Member State will have its own specific implementing legislation which may vary somewhat between Member States. As of the date of this article, all but three Member States (France, Ireland and Luxembourg) have implemented the Privacy Directive. This factor considerably complicates compliance with the individual requirements of each Member State.
APPLICABILITY AND GENERAL REQUIREMENTS
Scope. The Privacy Directive is intended to have broad application. The Privacy Directive requires a “controller” of “personal data” to protect the rights of natural persons with respect to the “processing” of that personal data. Any person or entity that determines the purposes and means of the processing of personal data is deemed to be a controller. For example, an employer would in many cases be a controller with respect to personal data about its employees. Similarly, a company might be a controller of personal data concerning its clients or trading partners and their respective personnel. Moreover, while the increased use of electronic communications and storage systems has heightened data privacy concerns, the scope of personal data protected by the Privacy Directive encompasses data processed or stored using either manually processed offline means or automatically processed online (electronic) means.
The Privacy Directive directs Member States to apply their own implementing legislation to the processing of personal information when a company processing personal data is located within that Member State or when the company makes use of equipment located within that Member State, even if the company is not located within the Member State. For example, a Web site operated in the United States that places electronic “cookies” on the computer of a visitor to the Web site who resides in the United Kingdom would be subject to the implementing legislation of the United Kingdom.
The Privacy Directive has potential application to any United States organization that receives information that can identify an individual in the EU, whether such information is obtained from customers, employees or any other source. Although the Privacy Directive does not apply to the processing of all personal data, such as personal data processed concerning national security or processed for purely personal or household activity, organizations should seek legal advice as to any intended use of personal data in a specific Member State before assuming that the particular use is exempt from the Privacy Directive.
The consequences of failing to comply with the Privacy Directive vary by Member State. Most Member States provide significant civil and criminal monetary penalties and other legal sanctions for violations, even those resulting from mere negligence in not adhering to the Privacy Directive. More severely, in some Member States officers and employees of a non-compliant company may face personal criminal liability for failure to comply with the Privacy Directive.
General Requirements. Understanding the Privacy Directive’s requirements requires patience — and perhaps an ample supply of aspirin. A company handling personal data must ensure that the data collected is accurate and that the company has a mechanism in place to update and correct inaccurate data. Data must be processed fairly and lawfully and collected and used only for specific, explicit and legitimate purposes. The Privacy Directive also requires that the data be relevant and not excessive for the purpose for which it is processed and that it be kept for no longer than is necessary.
A guiding principle behind the Privacy Directive is that persons whose personal data is being handled must give their consent to such handling. The general rule is that a company may process personal data only if the affected person has unambiguously consented after being adequately informed about the proposed handling of the data. Thus, for instance, a U.S. company with a location in one or more of the 15 EU countries or otherwise doing business in Europe will need to address this requirement for existing and new employees in order to appropriately handle most human resources data. Exceptions (such as where processing is required by law) to the general rule that mandates consent of the person involved are very limited.
In addition, certain categories of personal data that are regarded as being especially sensitive are subject to further restrictions. Among the categories of such sensitive data are information about social or ethnic origin, political opinions, religious or political beliefs, trade-union membership and health data. Again, knowing consent is required to be obtained, but only if the Member State does not prohibit such consent as a matter of public policy.
Determining what constitutes acceptable consent has its own challenges. For transfers of data outside a Member State, special consent rules apply. The Working Party, which is an advisory panel established by the Privacy Directive, has indicated that the consent is not valid if a person is not informed of the particular risks involved with transfer of his or her personal data to a country not providing an adequate level of protection. Consent also is not valid in this situation if the person only gives implied consent (e.g., the person is informed of the transfer of his or her personal data and has not objected to such transfer).
Obtaining consent is only one of the obligations required under the Privacy Directive of a company collecting personal data for processing. Data subjects must also be made aware of the purposes for which the data is collected and be allowed to access and to correct personal data. A company collecting personal data must also implement specified technical and organizational measures to protect personal data from loss, misuse and unauthorized access or disclosure. If a designee, such as an outside service bureau — called a “processor” under the Privacy Directive — carries out the processing of personal data, there must be a written agreement in place with the processor to process data only in accordance with instructions from the controlling company and only in accordance with the terms of the Privacy Directive. Special reporting requirements to the proper supervisory authority within the applicable Member State must also be complied with.
TRANSFER OF DATA OUTSIDE THE EU
The Privacy Directive requires that any transfer of personal data for processing from a Member State to a non-Member State country, such as the United States, may take place only if that country provides an “adequate level of protection” for the privacy of the transferred data. If a company is located in a country that does not otherwise meet the “adequate level of protection” standard, the company may seek to take advantage of a series of limited exceptions that permit the transfer of personal data to such a country. The three most likely exceptions are consent of the person whose data is transferred (discussed above), inclusion by the company of Commission-approved contractual clauses in applicable business agreements and, in the case of U.S. companies, compliance with the U.S. Safe Harbor framework.
After several years of extensive discussions and negotiations with interested parties, the European Commission in 2001 adopted two sets of standard contractual clauses for the transfer of personal data to third-party countries. Inclusion by businesses of these Commission-approved contractual clauses in their applicable contracts will enable the contracts to be deemed to provide an “adequate level of protection” for personal data. Because these clauses may not be readily applicable or adaptable to every contractual situation and their usage may create ambiguities or additional burdens, a company is well advised to evaluate this option for privacy compliance in relation to other available options.
THE U.S. SAFE HARBOR
The Privacy Directive’s “adequate level of protection” standard is somewhat ambiguous. Because of this ambiguity, the U.S. Department of Commerce and the European Commission negotiated a framework, commonly referred to as the Safe Harbor, under which U.S. organizations that comply with this framework will be deemed to provide an “adequate level of protection” in accordance with the Privacy Directive. All Member States are bound by the European Commission’s finding that the Safe Harbor provides an “adequate level of protection.” Therefore, compliance with the Safe Harbor satisfies the diverse privacy requirements of each Member State.
While compliance with the Safe Harbor may not be appropriate in all circumstances, there is a clear trend among U.S. businesses to view the Safe Harbor as the least objectionable manner of complying with the Privacy Directive. The Department of Commerce began accepting Safe Harbor applications in late 2000. As of the date of this article, over 240 companies have been certified under the Safe Harbor, according to the Department of Commerce’s Web site devoted to the Safe Harbor.
SAFE HARBOR PRINCIPLES
While the Safe Harbor Principles are generally clear, the terminology is slightly at odds with the Privacy Directive (e.g., the Principles use the term “individuals” while the Privacy Directive uses the term “data subject”), which is a potential source of ambiguity in adhering to the Safe Harbor. The seven guiding principles are set forth below. Compared to the Privacy Directive, the Principles capture the essential protections of the Privacy Directive in a slightly less burdensome form.
Notice. An organization must inform individuals in a clear and conspicuous manner about the purposes for which it collects and uses personal information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the personal information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable.
Choice. An organization must offer individuals the opportunity to choose (opt out) whether their personal information is: (a) to be disclosed to a third party; or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sexual orientation of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt-in choice.
Onward Transfer. To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Privacy Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles.
Security. Organizations creating, maintaining, using or disseminating information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity. Personal information must be relevant for the purposes for which it is to be used. An organization may not process personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. An organization should take reasonable steps to ensure that data is reliable for its intended use, and that it is accurate, complete and current.
Access. Individuals must have access to their personal information that an organization holds and be able to correct, amend or delete personal data that is inaccurate.
Enforcement. Effective privacy protection must include mechanisms for ensuring compliance with the Principles, recourse for individuals affected by noncompliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include: (a) readily available and affordable independent recourse mechanisms by which each individual’s complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where provided under applicable law or otherwise; (b) follow-up procedures for verifying that the attestations and assertions made about an organization’s privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by an organization announcing its adherence to them and consequences for such an organization. Sanctions must be sufficiently rigorous to ensure compliance by the organization.
Seeking expanded business opportunities in Europe has long been an attractive means for growth by U.S. businesses. Doing so, however, now involves considerably more attention to the details of privacy law compliance for most businesses. U.S. businesses will also find that Europe’s broad approach to privacy protection is not unique. Other countries, such as Canada and Australia, to name but two, that have large markets focused upon by many U.S. businesses, have also adopted comprehensive laws dealing with data privacy and protection. Because of this, U.S. businesses are well advised to adopt a proactive approach to confirming the existence and applicability of data privacy regulations in Europe and other countries in which they do business.