By Brendan Lillis, originally published in Buffalo Business First on 9/9/16.

What U.S. Companies Need to Know About EU Data Privacy Rules

In today’s global digital economy, many U.S. companies are collecting or using personal data of residents of the European Union (EU). Whether this data collection comes from a sale of goods or services, through a social media campaign or cloud storage service, or via an employment relationship, there are strict laws governing the transfer of personal data from the EU to the U.S.

At the outset, it should be understood that data protection laws in the EU are generally more stringent than corresponding laws in the U.S. It is for this reason that representatives from the EU have actively sought to impose certain restrictions on its residents’ personal data that is controlled or processed within the U.S., and have sought to make remedies available for its residents if that data is misused or mishandled.

The first such set of rules by which U.S. companies were encouraged to abide was known as Safe Harbor.

Safe Harbor required companies to publicly post a privacy policy that discloses the types of data collected, purposes for collection and opt-out procedures. Companies must take reasonable security precautions to protect the data from any loss, misuse, unauthorized access, disclosure, alteration or destruction. Organizations must further take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current.

Although Safe Harbor went above and beyond most U.S. legal requirements related to the protection of personal data, it did not go far enough to appease EU governing bodies.

In October 2015, the EU-U.S. Safe Harbor framework was invalidated by the European Court of Justice as being inadequate. Work immediately began on a new framework, called Privacy Shield, which was ultimately approved by the EU on July 12 and went into effect in the U.S. on Aug. 1.

Privacy Shield takes the above framework of Safe Harbor as a starting point and adds several key provisions. The obligations that are imposed on participating organizations are called “Privacy Principles.” The Privacy Principles include additional limitations regarding permitted uses of personal data, list instances where affirmative consumer consent may be required and govern the length of time that data can be kept.

Privacy Shield provides consumers or employees with a mechanism to raise complaints with participating companies regarding the collection or use of their personal data, and companies are subject to binding BRENDAN LILLIS Guest Columnist arbitration in instances where complaints are not resolved. Further, Privacy Shield imposes strict requirements and certain liabilities related to the transfer of data to a third party.

U.S. companies may elect to participate in Privacy Shield by signing up with the U.S. Department of Commerce at You are able to self-certify that your organization has a privacy policy that adheres to the Privacy Principles, and pay a fee in an amount based on the size of your business, presently ranging from $250 to $3,250 USD.

Membership to Privacy Shield must be renewed by an organization on an annual basis. If a company does not renew membership, it can no longer accept personal data from the EU under the Privacy Shield framework. The Privacy Shield website maintains a searchable list of all member companies, both active and inactive.

While Privacy Shield offers all companies a very good template of recommended data security best practices, a U.S. company may be understandably apprehensive about agreeing to some of its imposed rules and liabilities. Multinationals may adopt a set of standards called the Binding Corporate Rules, though these only apply to the transfer of information within the same corporate group. In most other cases, U.S. companies have available an alternative option for lawfully receiving personal data from the EU known as the model contractual clauses.

Model contractual clauses are similar to the Privacy Shield framework in that they seek to impose certain obligations on U.S. companies in receipt of personal data from the EU. The model clauses, however, are not as onerous in certain respects.

For instance, there is no requirement that companies post a detailed privacy policy, nor are companies required to provide individuals with unfettered access to their personal data on request. Additionally, there are no impositions of binding arbitration or other enforcement mechanisms.

Of course, using the model contractual clauses implies the execution of a separate agreement with every data controller in the EU that supplies personal data to your company

Accordingly, U.S. organizations debating reliance on the model contractual clauses must consider the administrative burden of entering into (potentially) numerous agreements, versus the added oversight burdens, but streamlined approach, offered by Privacy Shield.

Now is a good time for all U.S. companies to assess whether they are controlling, or processing, any personal data originating in the EU, and if so, whether they adhere to the tough EU data-protection standards.

Privacy Shield self-certification and the model contractual clauses are the two preferred methods by which a U.S. company will be deemed by the EU to offer adequate privacy protection.