Although U.S. media coverage of the Edward Snowden leaks regarding the National Security Agency’s PRISM program has waned in recent months, the issue remains a hot topic in the European Union (EU). Of particular interest to the EU is whether or not to extend its 14-year old Safe Harbor Framework arrangement with the U.S. permitting the transfer of personal data to the U.S. from the EU. If your company either has a presence in the EU or intends to have a presence there, this issue should be on your radar.
The EU has been in the forefront of providing legal protection for a wide range of personal data. EU Directive 95/46/EC (the “Data Protection Directive”), established nearly 20 years ago, ensures common standards of data privacy protection for personally identifiable data across EU member states. Under the Data Protection Directive, persons in France can take solace in knowing that companies in Spain or Italy are required to maintain the same general level of data privacy safeguards as are provided in France. More importantly, the Data Protection Directive (subject to a few exceptions) prohibits transferring personal data from outside the EU to a non-member state unless the non-member state offers a commensurate level of data protection to that found in the EU. In what may come as a surprise to some, the EU does not consider the U.S. to offer a level of data privacy protection equivalent to that of the EU. Consequently, transfers of personal data to the U.S. from the EU are subject to a number of limitations.