This blog post will tell you what to consider when your Nordic company does business with U.S. companies. Here, we will map out the data privacy considerations that Nordic companies need to take when doing business with U.S. companies. If a Nordic company transfers any personal data to a U.S. company, such as a service provider or a U.S. subsidiary, the Nordic company must do its due diligence on the U.S. company’s privacy practices.
Overview of the Data Privacy Landscape
The U.S. takes a segmented approach to privacy. Rather than one over-arching privacy law or regulation that governs all types of data and types of businesses in the U.S., there are federal and state laws that address different types of data or industries. Among the patchwork of laws in the U.S., there are specific laws that address data collected from children under age 13, privacy policy requirements, social security number usage, website tracking data, student data, healthcare data and the sale of data for third party marketing purposes. State attorneys general enforce privacy laws as well as the Federal Trade Commission (“FTC”) under Section 5 of FTC Act that prohibits entities engaged in commerce against ‘‘unfair or deceptive acts or practices in or affecting commerce.’’ The FTC interprets this to include the requirement to have an accurate privacy policy. Unfair acts and practices include, without limitation, issues such as not securing data with industry standard methods. Deceptive practices, include without limitation, stating something in a privacy policy that is not accurate.
Transfer of Data from Europe to a U.S. entity
Despite the various U.S. privacy laws, the European Union has not classified the U.S. as providing an “adequate” level of privacy protection due to not having one over-arching comprehensive data privacy law. As a result, data controllers in Europe face liability for transferring personal data to a company located in the U.S.—even a corporate affiliate—unless the controllers establish that the U.S. entity has a guarantee of “adequate” privacy protections under one of the options recognized by the European Commission. For business to business contracts and transfers, the European Commission has acknowledged the following 3 primary mechanisms as valid to establish “adequacy” to transfer data to a U.S. entity if the U.S. entity:
- has entered into binding corporate rules;
- is a member in good standing of the Privacy Shield; or
- enters into standard contractual clauses promulgated by the European Commission with the European Union company.
There are pros and cons to each mechanism for both U.S. and EU companies to consider. A sample of pros and cons is listed below. The key for an EU entity is to ensure that it conducts due diligence on how the U.S. entity safeguards privacy. The EU entity must take care to document their investigation in a U.S. entity’s practices and the conclusions that it took as to why a U.S. entity meets the adequacy standard or not. EU entities should have a data processing agreement in place with the U.S. entity that sets forth the adequacy mechanism on which the U.S. entity relies. Such agreement should include provisions to allow the EU entity to confirm compliance from time to time.
Binding Corporate Rules:
Pros: Binding corporate rules benefit larger global companies that want to have one set of standardized rules for the entire corporate family.
Cons: Binding corporate rules historically have been more costly to implement and require regular audits to ensure compliance. Large multinational organizations are more likely to implement binding corporate rules.
Privacy Shield:
Pros: Certification may be easier to implement. A contract with each individual data exporter would not be required.
Cons: The Privacy Shield only replaced the defunct Safe Harbor in October 2016. The Privacy Shield is already being questioned by EU regulators and is up for reexamination September 18. It is quite possible that the Privacy Shield will be overturned or significantly modified.
Standard Contractual Clauses:
Pros: These clauses are pre-approved by the European Commission and cannot be negotiated by the processor/importing company.
Cons: U.S. companies have considered the model clauses to be burdensome and imposing undue liability.
To Sum Up:
There is a patchwork of laws in the U.S. covering personal data. First of all you need to establish what kind of data you are handling in your business – e-mail addresses, names, IP addresses, social security numbers – and why. Second, you should investigate what laws are applicable in your case, and whether there is something you need to include in your customer contracts or security standards in order to be compliant with U.S. legislation.
If you’re a Nordic company transferring personal data to the U.S., for example to a customer or a U.S. subsidiary, you need to establish that the U.S. entity has a guarantee of “adequate” privacy protections under one of the three options recognized by the European Commission.