This section provides an overview of the changes in the EU data privacy framework, and how it may impact U.S. industry.
General Data Protection Regulation
The General Data Protection Regulation (GDPR), which governs how personal data of individuals in the European Union may be processed, went into effect on May 25, 2018. The GDPR, which replaces the Data Protection Directive 1995/46, is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. Personal data as defined by the GDPR as any information that relates to an identified or identifiable living individual (a “data subject”) such as a name, e-mail address, tax ID number, or online identifier. Processing of data as defined by the Regulation includes actions such as collecting, recording, storing, or transferring data.
A company that is not established in the European Union may need to comply with the Regulation when processing personal data of residents of the European Union, European Economic Area residents (i.e., Norway, Lichtenstein, and Iceland), and Switzerland, if the company offers goods or services to data subjects in the European Union; or if the company is monitoring data subjects’ behavior, which is taking place within the European Union. The European data protection authorities published Guidelines 3/2018 on the territorial scope of the GDPR (see Article 3), to help companies determine whether they fall within the GDPR’s territorial scope. For example, the mere accessibility of a company’s website in the European Union is insufficient to subject a company to the GDPR, but other evidence of the intent to offer goods or services (such as advertising) to data subjects in the European Union might mean that the Regulation is applicable.
Generally, companies that are not established in the European Union but that are subject to the GDPR must designate in writing an EU representative for purposes of GDPR compliance. There is an exception to this requirement for small scale and occasional processing of non-sensitive data. Fines in case of non-compliance can reach up to four percent of the annual worldwide revenue or twenty million euros – whichever is higher.
The European Data Protection Board released official guidelines to help companies with their compliance process.
Transferring Personal Data Outside of the European Union
The GDPR not only provides for the free flow of personal data within the European Union but also for its protection when it leaves the region’s borders. The Regulation sets out obligations on data controllers (those in charge of deciding what personal data is collected and how or why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (as mentioned, the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data and were complemented by measures to ensure that the protection is maintained when data leaves the region, and whether it is transferred to controllers, processors, or to third parties (e.g., subcontractors). In addition, restrictions on transfers of personal data outside of the European Union specify that such data could only be exported if “adequate protection” is provided.
The European Commission is responsible for assessing whether a country outside the European Union has a legal framework that provides enough protection for it to issue an “adequacy finding” to that country. There has not been an adequacy finding with respect to the United States, such that U.S. companies can only receive personal data from the European Union if they provide appropriate safeguards (e.g., standard contractual clauses or binding corporate rules), or refer to one of the GDPR’s derogations.
The EU-U.S. Privacy Shield / Trans-Atlantic Data Privacy Framework
The EU-U.S. Privacy Shield Framework was established by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of July 12, 2016, on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the Privacy Shield Framework. For more information, consult the website of the U.S. Department of Commerce, Privacy Shield Framework.
In March 2022, the United States and the European Commission reached a deal in principle on the Trans-Atlantic Data Privacy Framework, which will enhance the existing Privacy Shield Framework. The U.S. government and the European Commission are continuing their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new framework. For that purpose, these U.S. commitments will be included in an Executive Order that will form the basis of the Commission’s assessment in its future adequacy decision.