Processing Customer Data
The EU’s general data protection Directive (95/46/EC) spells out strict rules concerning the processing of personal data. Businesses must tell consumers that they are collecting data, what they intend to use it for, and to whom it will be disclosed. Data subjects must be given the opportunity to object to the processing of their personal details and to optout of having them used for direct marketing purposes. This opt-out should be available at the time of collection and at any point thereafter. This general legislation is supplemented by specific rules set out in the "Directive on the processing of personal data and the protection of privacy in the electronic communications sector" (2002/58/EC). This requires companies to secure the prior consent of consumers before sending them marketing emails. The only exception to this opt-in provision is if the marketer has already obtained the intended recipient’s contact details in the context of a previous sale and wishes to send them information on similar products and services.
Transferring Customer Data to Countries outside the EU
The EU's general data protection Directive provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders. Personal data can only be transferred outside the EU if adequate protection is provided for it or if the unambiguous consent of the data subject is secured. The European Commission has decided that a handful of countries have regulatory frameworks in place that guarantee the adequate protection of data transferred to them – the United States is not one.
The Department of Commerce and the European Commission negotiated Safe Harbor to provide U.S. companies with a simple, streamlined means of complying with the adequacy requirement. It allows those U.S. companies that commit to a series of data protection principles (based on the Directive), and who publicly state that commitment by "self-certifying" on a dedicated website, to continue to receive personal data from the EU. Signing up is voluntary but the rules are binding on those who do. The ultimate means of enforcing Safe Harbor is that failure to fulfill the commitments will be actionable as an unfair and deceptive practice under Section 5 of the FTC Act or under a concurrent Department of Transportation statute for air carriers and ticket agents. While the United States as a whole does not enjoy an adequacy finding, companies that join up to the Safe Harbor scheme will. Companies whose activities are not regulated by the FTC or Dot (e.g. banks, credit unions, savings and loan institutions, securities dealers, insurance companies, not-for-profit organizations, meat packing facilities, or telecommunications carriers) are not eligible to sign up to the Safe Harbor.
EU based exporters or U.S. based importers of personal data can also satisfy the adequacy requirement by including data privacy clauses in the contracts they sign with each other. The Data Protection Authority in the EU country from where the data is being exported must approve these contracts. To fast track this procedure the European Commission has approved sets of model clauses for personal data transfers that can be inserted into contracts between data importers and exporters. Most transfers using contracts based on these model clauses do not require prior approval. Companies must bear in mind that the transfer of personal data to third countries is a processing operation that is subject to the general data protection Directive regardless of any Safe Harbor, contractual or consent arrangements.
EU countries’ Data Protection Authorities (DPAs) and large multinational companies are also developing a third major approach to compliance with EU rules on transfers of personal data to countries outside the EU. This is based on country-by-country approval of “binding corporate rules” (BCRs). Companies that set up BCRs that satisfy European DPAs will be able to use the presumption of conformity that these approvals provide to transfer personal data from the EU to any location in the world – not just the United States. BCRs can be a tool for compliance with privacy rules on a global scale. The process of negotiation and approval of the BCRs is currently lengthy and complex, and has not been attempted by small or medium-sized companies.