Data Privacy and Protection: EU as Compared with U.S.
Apr 14, 2010 QuickCounsel Download PDF
Data Protection laws in the European Union, Canada, and other countries, require companies to ensure they take appropriate steps to safeguard personal information both in their possession and being processed on their behalf. While in the U.S. the approach towards data privacy tends to deal with industry-wide legislation and regulation, or even self-regulation, outside of the U.S., there are often specific laws which govern the control and processing of any personal information.
Laws in other jurisdictions are often more stringent than in the U.S. An example of a data protection law that differs from the U.S. approach is the European Union Directive 95/46/EC ("EU Directive"). Among the basic principles of the EU Directive are:
"Personal data" is data about a living individual from which an individual can be identified and is genuinely viewed more broadly in the EU than in the U.S. Two separate pieces of information (things such as an address on a Christmas card list, a photo i.d., work telephone numbers or expense reimbursement data), which if put together can be used to identify a particular individual, can constitute "personal data" under the EU Directive.
Under the EU Directive, the prohibited transfer of personal data to countries which do not have in place adequate protection for personal information means transfer to the U.S. is prohibited, unless other mechanisms are put in place to ensure the EU-required level of protection. Consent of the individual may be one such mechanism, but some EU members deem consent from an employee not to be freely given and therefore not valid. Voluntary compliance with certain Safe Harbor principles is another mechanism. Model contract clauses and approved binding Intra-Group Rules are other mechanisms which might be employed.
Employees have certain rights and must be informed of the information being collected, the purposes for which it is being used, and any information transferred outside of the EU. The EU Directive (as individually implemented by the member states of the EU) will apply to companies on various occasions, in particular when information is being processed on equipment located in Europe, if a company has an office located within the EU or if the company has customers in the EU.
The EU Directive applies to both electronically stored and manually stored information and it applies to potential employees, existing employees, customers, suppliers and any individuals the company may come in contact with.
Failure to comply with the EU Directive can result in investigation by the local data protection agency and the levying of fines. Employee relations can suffer and leave the company in a weak position in negotiating with Works Councils or trade unions. Potential criminal sanctions for a company and possibly for individual officers are other good reasons to ensure compliance.
Noncompliance can also result in bad publicity, which can even damage share prices. And regarding customer information, it is important to be data protection compliant for many reasons, not the least of which is in preparation for a possible sale of the company. If the database of the company is not lawful, the price can be negatively impacted.
Sample data protection policies of multinational companies reflect certain considerations that are personal to the company, but most include an assessment of the company's personal information practices, the implementation of detailed internal policies and the establishment of clear lines of responsibility for privacy. Contracts with service providers need to be evaluated and address privacy issues. Regular assessments to verify compliance are recommended.
Additional ACC Resources
ACC Resource Library
Have an idea for a quickcounsel or interested in writing one?
Table of Contents