For companies with data users in both the EU and the US, laws protecting users’ privacy vary. Tom Merritt lists five things to know about EU-US data privacy.
If your company holds data on people in both Europe and the US, you have to follow the privacy laws of both. That gets tricky if you store data from European users in the US which has different laws. How do you make sure you’re following the rules and keeping data safe? The answer has changed several times in the past few years. Here are five things to know about the EU-US data privacy.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Either the NSA, Edward Snowden, or both get the blame for making this complicated. From 2000-2015 an agreement called Safe Harbor covered transferring data between the EU and US. When Snowden’s leaks showed the NSA was accessing bulk collected data, Max Schrems brought a lawsuit and the Court of Justice of the European Union threw the regime out as insufficient.
- A second attempt to create a framework, called Privacy Shield was created in 2016. It detailed that the NSA could only access bulk data in six specific cases and created an ombudsperson and other avenues for Europeans to file complaints about data use.
- Max Schrems led a case against this second regime which was declared illegal by the Court of Justice of the European Union in June 2020. Despite the new restrictions and complaint handling, the court said “The limitations on the protection of personal data … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law.”
- There’s still something called Standard Contract Clauses or Binding Corporate Rules that companies can enact on their own. The text of these clauses is created by the EU with the idea that it will protect data transfers as well. A company needs a little more expertise to use these, but they were not declared illegal by the court.
- However, the court did say it was up to companies to make sure they provide adequate protection. A new group, led by Max Schrems, filed complaints against 101 European websites arguing that the US doesn’t provide adequate protection for Europeans against surveillance. Ireland’s Data Protection Commissioner issued a preliminary rule that Facebook’s SCC is not sufficient.
Good news: The EU is working on revisions to the SCC and the US and EU are also working on a new overarching framework. The other option is to keep all your EU data in the EU, but that’s costly and not always practical for smaller companies. In fact, Facebook even intimated it might not be able to operate Instagram and Facebook in Europe if there was no agreement.
Subscribe to TechRepublic Top 5 on YouTube for all the latest tech advice for business pros from Tom Merritt.