Are U.S. Companies Violating European Union Privacy Rules?

Gone are the days when some companies may decide to take lightly the responsibility to safeguard private data. Indeed, many companies have been very earnest in complying with U.S. privacy rules when it comes to sensitive data such as health and financial information.

But how are U.S. companies doing when it comes to protecting European data? Not so well, according to a recent complaint filed with the Federal Trade Commission (FTC).

The complaint, filed by the Center for Digital Democracy (CDD), and reported on by ZDNet, alleges that more than 30 U.S. companies are not protecting European data as promised by the U.S. government. Specifically, it is alleged that these companies are “compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation of the [U.S.-EU] Safe Harbor framework.”

By way of brief background, the referenced Safe Harbor Framework permits EU data, which normally would not be allowed to move outside of Europe, to come to reside on U.S. servers to the extent European data protection and privacy rules are followed. This is important because in certain realms, Europe has stronger data privacy laws than does the U.S. The EU does not want to see its data exported to the U.S. and then have it compromised with lesser privacy rules than are in place in the EU.

The CDD wants the FTC to investigate the named companies for “data profiling and online targeting,” among other things, all of which allegedly violate Safe Harbor commitments, according to ZDNet.

Indeed, the CDD’s legal director, Hudson Kingston, claims that “the fundamental privacy right of 500 million Europeans has been ignored and must be acknowledged and protected going forward.”

We will see if there is fire where there is smoke in this instance. There have been prior attacks on the true viability of the Safe Harbor Framework. For example, notwithstanding the Safe Harbor, European data located in the United States potentially can be accessed by U.S. law enforcement authorities.

Whether or not the FTC investigates and takes action, Europeans believe that when they provide private information, that information should be protected according to the European privacy rules in place at the time, even if that information later finds its way to the United States. If the U.S. cannot follow through and provide such assurances by way of the Safe Harbor or otherwise, over time Europeans may be much less willing to allow for data flow to the United States.

Eric Sinrod (@EricSinrod on Twitter) is of counsel in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at ejsinrod@duanemorris.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress