Welcome to Sixty Seconds of Privacy, an e-newsletter brought to you by the Privacy and Data Security practice group at Thelen Reid Brown Raysman & Steiner LLP.
Each edition of this e-newsletter addresses one interesting legal development in the area of privacy and data security, in a brief "question and answer" format. Each edition is intended to be read in about a minute, yet will update you on an important development. We pick the topics for this e-newsletter based on what our clients are concerned about. You are welcome to submit your questions or suggestions to us, and you may find your sixty second answer in an upcoming edition.
Question: Has the EU been enforcing its data protection laws against U.S.-based companies?
Answer:
In the past, EU member countries have not been aggressive in enforcing their data protection laws against U.S. companies with a presence in the EU. However, a recent action by the French Data Protection Authority may signal an end to that attitude, and serve as a timely reminder to U.S. companies of the requirements and reach of EU data protection law. The French Data Protection Authority, La Commission Nationale de L'informatique et des Libertes (CNIL), fined Tyco Healthcare France, the French subsidiary of a large U.S. multinational corporation, $30,000 Euros in connection with its use of a global human resources database to transfer employee data from France to the U.S.The laws implementing the EU data protection directive generally prohibit the transfer of personal data to a country (such as the U.S.) whose privacy laws are not "adequate" in the EU's opinion, unless certain EU-approved steps are taken to protect the data.
When the French data protection authority discovered, in the course of an audit, that Tyco Healthcare's French subsidiary was transferring HR data to its parent company in the U.S. without such protections in place, the subsidiary became the first subsidiary of a U.S. company to be fined under the EU's data export provisions, and suffered the second-highest fine issued by the French authority for violation of data protection laws.
A separate recent development illustrates the counter example, where a European subsidiary of a U.S. company, Abbott Laboratories, was protected from liability for data export to the U.S. because the U.S. parent was a participant in a safe harbor program implemented by the U.S. Department of Commerce and approved by the European Commission.
The take-away: Especially if you have subsidiaries in Europe, the European data protection authorities are watching you with the expectation that your global transfers of personal data will comply with EU law. To achieve compliance, you need to use one of the EU-approved means of legitimizing data transfer to the U.S., such as the safe harbor, intra-company agreements or binding corporate rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.