EU Data Privacy: An Additional Compliance Option for U.S. Companies

As discussed in a previous GCD Client Alert (available at 
http://www.gcd.com/db30/cgi-bin/pubs/NewDevelopmentsDataPrivacy.PDF) the transfer of personal data from any of the countries comprising the European Economic Area to a third country is prohibited unless (1) the third country has been deemed to offer adequate protection to personal data or (2) one of the exceptions applies. As Europe considers the U.S. not to offer adequate protection to personal data (only Switzerland, Hungary, Canada and Argentina have been designated as providing an adequate level of protection), the transfer of personal data from Europe to the U.S. is prohibited unless it falls under one of the exceptions.

The most prominent compliance option is the safe harbor administered by the U.S. Department of Commerce. For various reasons, many firms are reluctant to rely on this compliance option. Another option is to use the standard contractual clauses approved by the European Commission when transferring personal data to the U.S. Reliance on these clauses has been disappointing from the perspective of the Art. 29 Working Group because of the burdens they place on the recipient of the data. The third compliance option, and perhaps the most practical, is to secure the unambiguous consent of the data subject. This compliance option lacks the legal certainty offered by the first two options discussed above as the definition of unambiguous consent is a question of fact determined by the individual EU member states. The following additional compliance options may be appropriate in specific circumstances:

• the transfer is necessary for the performance of a contract between the data subject and the data controller;
• the transfer is necessary for the conclusion or performance of a contract between the data subject and a third party;
• the transfer is necessary or legally required on public interest grounds;
• the transfer is necessary to protect the vital interests of the data subject; or
• the transfer is made from a public registrar.

The Art. 29 Working Group recently issued a Working Document which may be viewed as introducing another compliance option for U.S. corporate groups which frequently transfer personal data from their European operations to their U.S. operations. This option will probably be more attractive for companies with several subsidiaries in Europe. However, a review of the requirements imposed by the Working Document reveals that it does not offer much relief. These are some of the requirements identified in the Working Document:

• The corporate group is required to grant third party beneficiary rights to the data subjects to enforce compliance with the policy. These rights must match the same rights granted to third parties under the standard contractual clauses.
• The corporate group must also be able to demonstrate that the internal privacy policy is known, understood and effectively applied throughout the group by the employees and agents which received the appropriate training and have the relevant information available at any moment, for example via the intranet.
• The corporate group must appoint the appropriate staff (with top-management support) to oversee and ensure compliance.
• The internal privacy policy must provide for self-audits and/or external supervision by accredited auditors on a regular basis with direct reporting to the board of directors of the parent company.
• The corporate groups must set up a system by which individuals’ complaints are dealt with by a clearly identified complaint handling department.
• The internal privacy policy must contain clear duties of co-operation with the national data protection authorities. There must also be an unambiguous undertaking that the corporate group as a whole and any of its members separately will abide by the advice of the competent data protection authority on any issues related to the interpretation and application of its internal privacy policy.
• The corporate group must designate an affiliate in the EU to which data protection responsibilities would be delegated including the responsibility to pay compensation for any damages resulting from the violation of the internal privacy policy.

The Working Document should not be confused with the industry codes to which one often sees reference in the popular press. The industry codes, such as the FEDMA code which was recently approved by the Art. 29 Working Group (June 13, 2003), are voluntary codes of conduct applicable to a specific industry (in this case the direct marketing industry) which includes an industry-wide enforcement mechanisms. Several other industry groups are involved in discussions with the Working Group seeking approval of additional codes of conduct. For any questions concerning data privacy, contact any of the members of our Privacy Group. A copy of the Working Document will be provided upon request.

Copyright 2003 Gardner Carton & Douglas