Personal Data Exchange Between the EU and the U.S.
April 2009

The European Commission has found that the U.K. is not adequately protecting personal electronic data, a finding that should cause U.S. companies to review their privacy policies and determine if they can self-certify their compliance with the European Commission’s Directive on Data Protection.

Many U.S. companies continue to struggle with European Directive 95/46 on the protection of individuals with regard to the processing of personal data and free movement of that data (the “Data Protection Directive”).  The Data Protection Directive provides that personal data may only be transferred to countries outside the European Union if those countries can guarantee an adequate level of protection.  According to the European Commission (“EC”), the U.S. does not require an adequate level of protection.  To address this issue, the EC has recognized the U.S. Department of Commerce's Safe Harbor Framework as providing adequate protection.

As of March 1, 2009, by meeting certain requirements a U.S. company can self-certify its compliance under the safe harbor framework and be deemed to adequately protect personal data. This finding of adequacy binds all the EU countries, allowing U.S. companies to extend their business within the EU.  Furthermore, EU countries’ national requirements for prior approval of data transfers are waived, or approval is automatically granted. To join the Safe Harbor, U.S. companies must prepare a well-crafted privacy policy that demonstrates the personal data of employees, customers and others is adequately protected.

Not providing the required level of protection to EU personal data can lead to liability in the U.S.  U.S. companies are required to have a dispute resolution system to address complaints and disputes.  The EC has issued standard clauses for the transfer of personal data to third countries. The effect of adopting these clauses is to guarantee that the transfer and processing of personal data provides an adequate level of protection. U.S. companies receiving EU personal data in the course of their business should also check whether they fall within the “specific circumstances” list of the Directive, that allows the transfer of personal data to third countries not offering an adequate level of protection.

Whether it is by joining the Safe Harbor, by adopting the Commission’s standard clauses, or by falling under a narrow exception of the Directive, U.S. companies that do business with EU partners are encouraged to determine whether the data they receive are “personal data” within the meaning of the Directive and whether they have privacy policy that complies with the Data Protection Directive.  For questions and assistance, please contact Associate/Juriste en Droit Européen, Jordane-Christine Fura.