What US Companies Need to Know about EU Privacy Laws
The European Union (EU) is a large politico-economic union consisting of 28 countries, having a total population of more than 500,000 million people. The economic wealth of the EU attracts many US companies. However, some of those companies are not familiar with the comprehensive EU privacy laws. As Toby Duthie, a data protection expert, states: “To many US companies, the EU laws often remain an anathema and their instinctive reaction is to comply with US government and court demands first and worry about the EU data privacy laws later.”
This article clarifies the categories of US companies falling within the scope of EU privacy laws (Section 2). Next, the article discusses how US companies can ensure compliance with EU privacy laws (Section 3). Afterward, the article explains how US companies can certify their compliance with the EU privacy laws (Section 4). Finally, a conclusion is drawn (Section 5).
2. US companies falling within the scope of EU privacy laws
Firstly, this section examines the categories of US companies falling within the scope of the current EU privacy laws (Section 2.1). Secondly, this section discusses the categories of US companies that would fall within the scope of the new EU Data Protection Regulation that would replace the current EU privacy laws (Section 2.2).
2.1 Current EU privacy laws
The current EU privacy laws apply generally to cases when: (1) the data controller is established within the EU; and (2) the data controller uses equipment situated within the EU in order to process data. Below, these two cases are discussed in more detail.
Establishment within the EU
The Court of Justice of the EU (CJEU) clarified the concept of “establishment” by stating that a stable establishment requires that “both human and technical resources necessary for the provision of particular services are permanently available.” Thus, a server or a computer is unlikely to qualify as an establishment because it is regarded simply as a technical facility or instrument for the processing of information. However, a US company is not required to have a legal personality (e.g., a subsidiary) in order to create an establishment within the EU.
In the Google “right to be forgotten” decision of May 2014, the CJEU legally clarified the concept of “establishment” for the purposes of the EU privacy laws. In the decision, the CJEU stated that if there is a commercial connection between a local operation (whether branch or subsidiary) and a non-EU company, the EU data protection laws will apply to the non-EU company. More particularly, the CJEU stated that the advertising sales generated by Google Spain (a subsidiary of the US company Google Inc.) were sufficiently linked to the search activities offered by Google Inc. Hence, according to the CJEU, the activities of Google Spain fell within the scope of the EU privacy laws.
Using equipment situated within the EU
The EU privacy laws did not define the term “equipment” in detail. Thus, it can have a broad interpretation. Below, two examples of “equipment” within the meaning of the EU privacy laws are provided.
Firstly, a company in Australia which collects and processes personal information from mobile phones within the European Union will need to comply with the EU privacy laws. This is because the mobile phones will be regarded as equipment within the meaning of the EU privacy laws.
Secondly, a company providing cloud computing services allowing individuals to upload information about personal appointments will need to comply with the EU privacy laws if the company processes the collected personal information on servers situated within the EU. It should be noted, however, that the application of the EU privacy laws would not be triggered by equipment used for transit purposes only, but it would be triggered by specific equipment, such as installation of cookies, use of calculating facilities, and java scripts.
2.2 The new EU Data Protection Regulation
The EU plans to adopt a new privacy law called the General Data Protection Regulation (GDPR). The proposal for the GDPR was released in 2012. If adopted, the GDPR is expected to enter into force in 2017. The GDRP will apply to: (1) persons (natural or legal) based in the EU; and (2) persons based outside of the EU if they process personal information of EU residents. Therefore, the GDPR will apply to all US companies processing personal information of EU residents.
3. Ensuring compliance with the EU privacy laws
The US Department of Commerce in consultation with the European Commission developed a “safe harbor” framework (also known as “US-EU Safe Harbor Framework”) that allows US companies to ensure compliance with the EU privacy laws by meeting seven principles, namely, (1) notice, (2) choice, (3) onward transfer, (4) access, (5) security, (6) data integrity, and (7) enforcement. These seven principles are discussed in more detail below.
In order to comply with the principle of notice, a US company needs to inform the individuals whose personal information is collected about: (1) the purposes of data collection; (2) the contact details of the US company; (3) the types of third parties to which the US company will disclose personal information; and (4) the means used by the US company to limit the use and disclosure of personal information.
The principle of choice requires US companies to provide individuals with the opportunity to choose (opt out) whether their personal information will be disclosed by a third party or purposes incompatible with the purpose for which the personal information was initially collected. Moreover, US companies that plan to disclose sensitive personal information to third parties or use such information for a purpose other than its original purpose need to provide the individuals whose sensitive personal information was collected with an opportunity to make an affirmative or explicit (opt in) choice.
If a US company intends to transfer personal information to a third party, it needs to ensure that the third party complies with the US-EU Safe Harbor Framework or is subject to the European privacy laws. Alternatively, in order to comply with the principle of onward transfer, a US company intending to transfer personal information to a third party may sign a written agreement with the third party requiring that third party provide at least the same level of privacy protection as is required by the US-EU Safe Harbor Framework.
The principle of access requires US companies to provide the persons whose personal information is being collected with: (1) access to personal information about them; and (2) an opportunity to correct, amend, or delete such personal information.
The compliance with the principle of security requires US companies to put reasonable efforts to ensure that the personal information collected by them is protected against unauthorized activities (e.g., misuse and destruction).
In order to comply with the principle of data integrity, US companies need to collect personal information which is relevant for the purposes for which it is used.
The principle of enforcement requires US companies to provide: (1) recourse mechanisms to individual’s complaints; (2) procedures for verifying that commitments made by US companies adhere to the US-EU Safe Harbor Framework; and (3) obligations to remedy problems related to the failure of the company to comply with the principles of the US-EU Safe Harbor Framework. Thus, the enforcement of the commitment of US companies to comply with the US-EU Safe Harbor Framework generally comes from the self-verification letters submitted by such companies to the US Department of Commerce.
However, additional enforcement may come from the US Federal Trade Commission (FTC) and other federal agencies having the ability to enforce a promise made by a US company. For example, the FTC may consider a failure to abide by a promise made by a US company as a violation of the Federal Trade Commission Act, which prohibits unfair and deceptive practices. In 2010, the FTC took action against several US companies who represented that they were participants in the US-EU Safe Harbor Framework, but they were not.
4. Certification of compliance with the EU privacy laws
A US company willing to benefit from the US-EU Safe Harbor Framework needs to provide annual self certification letters to the US Department of Commerce. The assessment of whether the US company complies with the aforementioned seven principles can be done either by the company itself or by private companies. Below, the certification programs offered by two such private companies are discussed in more detail (Section 4.1).
4.1 Certification programs offered by private companies
This section discusses two programs certifying compliance with the US-EU Safe Harbor Framework, namely, (1) TRUSTe and (2) PrivacyTrust.
The TRUSTe privacy assessment program allows companies to verify their compliance with US- EU Safe Harbor Framework and assist them with self-certification with the US Department of Commerce. The TRUSTe privacy assessment program, includes a dispute resolution procedure resolving disputes about online collection of personal information. This dispute resolution procedure is required by the US-EU Safe Harbor Framework. The webpage of the TRUSTe privacy assessment program is available at http://www.truste.com/products-and-services/enterprise-privacy/eu-safe-harbor-seal .
The PrivacyTrust Safe Harbor program can assist US companies willing to certify their compliance with the US-EU Safe Harbor Framework. The assistance can be provided prior to the self-certification and after the self-certification. The webpage of the PrivacyTrust Safe Harbor program is available at http://www.privacytrust.org/safeharbor/index.html.
This article indicated that US companies may need to comply with the EU privacy laws even if they do not have an EU subsidiary. For example, the use of a server located within the EU may be sufficient to trigger the application of the EU privacy laws.
The good news for the US companies falling within the scope of the EU privacy laws is that they do not have to examine and investigate all 28 national laws of the member states of the EU in order to ensure compliance with the EU privacy laws. Such compliance can be ensured merely by complying with the seven principles of the US-EU Safe Harbor Framework.
After the US companies comply with these seven principles, they need to submit a self certification letter to the US Department of Commerce. Subsequently, the US Department of Commerce will upload the list on the following webpage: https://safeharbor.export.gov/list.aspx. US companies that do not have internal privacy expertise may use certification programs offered by third parties. TRUSTe and PrivacyTrust are two such programs.
* The author would like to thank Rasa Juzenaite for her invaluable contribution to this article.
1. Ashford, P., ‘Handbook on International Commercial Arbitration: Second Edition‘,
Juris Publishing, Inc., 2014.
2. Baker, N., ‘EU Data Privacy Laws Will Snag More US Companies’, Compliance Week, 16 July 2013. Available at http://www.complianceweek.com/news/news-bulletin/eu-data-privacy-laws-will-snag-more-us-companies#.VMpSdckrphp .
3. Deese, D., ‘Handbook of the International Political Economy of Trade‘, Edward Elgar Publishing, 2014.
4. Determann, L., ‘Determann’s Field Guide to Data Privacy Law: International Corporate
Compliance’, Edward Elgar Publishing, 2015.
5. Ezor, J., ‘Privacy and Data Protection in Business: Laws and Practices‘, LexisNexis, 2012.
6. Gellman, R., Dixon, P., ‘Online Privacy: A Reference Handbook‘, ABC-CLIO, 2011.
7. Hoeren, T., Kolany-Raiser, B., Yankova, S., Hecheltjen, M., ‘Legal Aspects of Digital Preservation‘, Edward Elgar Publishing, 2013.
8. Hordern, V., ‘How do Global Businesses Know When EU Data Protection Applies to Them’, Hogan Lovels: Chronicle of Data Protection, 17th of November, 2014. Available at http://www.hldataprotection.com/2014/11/articles/international-eu-privacy/how-do-global-businesses-know-whether-eu-data-protection-law-applies-to-them/ .
9. Moerel, L., ‘Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers‘, Oxford University Press, 2012.
10. Opinion 8/2010 on applicable law adopted on 16 December 2010 by Article 29 Data Protection Working Party. Available at
11. Pearson, S., Yee, G., ‘Privacy and Security for Cloud Computing’, Springer Science & Business Media, 2012.
12. Raj, S., ‘Digital Identity and Access Management: Technologies and Frameworks‘, IGI Global, 2011.
13. Trope, R., Upchurch, G., ‘Checkpoints in Cyberspace: Best Practices to Avert Liability
in Cross-border transactions‘, American Bar Association, 2005.
14. US-EU Safe Harbor Overview, Export.gov, last updated on 18 December 2013. Available at http://www.export.gov/safeharbor/eu/eg_main_018476.asp .
15. Weil, R., Lentz, D., Hoffman, D., ‘Litigation Services Handbook: The Role of the Financial Expert‘, John Wiley & Sons, 2012.