European Union Rejects U.S. Data Privacy Laws

The European Union Court of Justice in early October struck down the Safe Harbor Agreement between the United States and Europe, essentially limiting what American firms can do with customer data from their European clientele.

The court’s ruling, handed down Oct. 6, was effective immediately, providing no grace period for companies relying on the agreement to facilitate transatlantic data flows.

The court determined that U.S. data privacy laws lag behind those of the 28 countries that make up the European Union and therefore invalidate the agreement, in place since 2000. It held that the United States allows large-scale collection and transfer of personal data without proper means of redress or effective judicial protection for consumers.

The European court, in striking down the agreement, cited a lack of oversight by the U.S. Federal Trade Commission and Department of Commerce, the two agencies charged with ensuring U.S. firms held up their end of the accord.

The European Union had been concerned about the flow of data with the U.S. since 2013 when Edward Snowden, a Central Intelligence Agency (CIA) and National Security Agency (NSA) contractor-turned-whistleblower, made public some of the U.S. government’s surveillance activities. Austrian privacy advocate Max Schrems used the revelations to bring the Safe Harbor Agreement case to court.

Under the Safe Harbor Agreement, more than 4,500 U.S. companies were allowed to transfer data from Europe to the U.S. after certifying the protections they offered were comparable to Europe’s.

The European Union’s requirements include the following seven principles:

• Notice: Individuals must be informed that their data is being collected and about how it will be used.

• Choice: Individuals must be able to opt out of the collection and transfer of data to third parties.

• Onward transfer: Data can only be given to third parties that follow adequate data protection protocols.

• Security: Reasonable efforts must be made to prevent the loss of collected data.

• Data integrity: Data must be relevant and reliable.

• Access: Individuals must be able to access the information held about them and be able to correct or delete it.

• Enforcement: There must be an effective means of enforcing these rules.

With the invalidation of the Safe Harbor Agreement, European Union countries can now suspend data transfers that start within their borders.

That, the Direct Marketing Association contends, could hurt businesses. The ruling "puts at risk…the ability of marketers and businesses to effectively provide their customers with information that allows them to access products and services they need and desire," Christopher Oswald, the DMA’s vice president of advocacy, said in a statement.

"The flow of consumer marketing information is essential to the global economy and millions of jobs worldwide," Oswald continued. "Countries and consumers benefit from the ability of businesses to use data to create valuable products and services, enhance productivity, improve efficiency, deter fraud, and foster economic growth."

The U.S. Department of Commerce has reportedly been working with the union for the past two years to update the agreement, but so far there has been no word as to when an amended version might be completed. U.S. Commerce secretary Penny Pritziker released a statement following the European court's decision saying that the ruling "necessitates release of the updated Safe Harbor Framework as soon as possible."

In the meantime, U.S. firms might now have to negotiate new data transfer agreements with each individual European Union country and could face penalties for failing to comply with existing data protection laws in each country.

"U.S. businesses receiving data will now need to ensure they conform to standards [in each country], both from a systems and a security basis and from a data usage standpoint," explains Fiona Green, director of WinnersFDD, a CRM and business intelligence consulting firm based in England. "Here in Europe, we have to issue trans-border data processing agreements when sending data outside of our own territories. Presumably, these will now be a legal necessity between European offices and their U.S. headquarters."

Firms are urged to do internal audits of data flows from Europe to assess how their usage fits into European standards and exemptions.