In early October, the European Court of Justice, an EU tribunal, declared that the US Department of Commerce safe harbor standards for ensuring internet privacy were insufficient under EU law.
This has the potential to cause the EU to view data transfers from anywhere in the European Union to the US as being unlawful infringements on the privacy rights of persons in the EU. On October 16, 2015, an EU advisory board (with representatives from multiple European data protection authorities, or “DPAs”) announced that the DPAs may take enforcement actions against US companies, starting at the end of January 2016, if US authorities have not negotiated an appropriate solution by that time. An appropriate solution here would probably entail stricter privacy protection guarantees under the US safe harbor program, including the widely-used self-certifying safe harbor.
This development may stem, in part, from continuing disclosures about US government access to private e-mails and other online communications. Keep your eye on these issues.
There has been relatively little publicity about the formal EU legal response to political concerns about internet privacy in the US. Even for US businesses that have little direct customer contact from the EU, many vendor or large-customer contracts now have boilerplate language insisting that the contracting parties warrant their compliance with the safe harbor privacy principles administered by the US Department of Commerce. If and when those principles change, companies will have to review their privacy practices. And if there is no accommodation reached by the end of January 2016, there might be a new potential exposure to enforcement actions from the EU.
As the US grows increasingly assertive in its efforts to regulate non-US banks, and as the EU becomes more aggressive with antitrust reviews of cross-border merger activity, we can add internet privacy to the list of legal issues where global compliance is becoming vital for businesses of all sizes.
This article originally appeared in the ACBA Business Law Section’s November 2015 Newsletter.