European Union High Court Strikes Down Data Privacy Safe Harbor
The European Union (EU) High Court this week struck down the 15 year-old "Safe Harbor" that has allowed United States businesses to operate there under a single set of privacy rules. Reacting to the Edward Snowden revelations about NSA spying programs, the EU Court ruled that companies in the U.S., which has no national set of privacy rules about consumer data, must now deal with the privacy regulators in each EU country rather than deal with a single, uniform, EU-wide standard.
For American businesses that process data coming out of EU countries, this potentially creates a great deal of uncertainty and difficulty. Online services, websites, cloud storage, e-Commerce, data processing, and more may be affected by the presence of EU data. Brick and mortar businesses may also be affected if they have international operations. E-mail, off-shore storage, database management, order fulfillment and more may entail processing of EU data. Persons affected could include employees, customers, clients, vendors, or others.
If you are an Online, Web, cloud, or similar company, or if you have employees or operations overseas and therefore process HR or other data across borders, now is a good time to review your privacy policies, employee handbooks, services agreements, customer files, etc. You may also wish to consider what information you collect, what business purpose it serves you, and whether you can alter your collection and use practices. The EU and its member countries have strict rules that are far more consumer-friendly than most laws we have in the U.S.
As a practical matter, this decision may mean that affected U.S. businesses will work to achieve compliance with the strictest EU member country privacy rules (i.e., the highest common denominator) about things like cookies, consumer access to data, right to be forgotten, and so forth. This will be a big compliance effort. The European Commission currently has model clauses and voluntary codes of conduct that a company can adopt to signify its compliance with EU rules, but those blanket approaches may not last in the wake of a decision to allow each member state to set and enforce its own rules individually. And even if they stand, compliance with them will require many American companies to re-tool their practices when it comes to data flowing out of the EU.