The U.S. and the EU recently concluded a treaty which will open the doors of U.S. courts to Europeans suing U.S. companies for data privacy violations. For a long time the Europeans have been skeptical about the protection of data privacy in the United States. The name “Snowden” still touches a sore spot with most Europeans. The general rule which the EU has had in place for a number of years is that the transfer of personal data from the EU to the U.S. is prohibited. There are, however, exceptions available to multinational companies with business operations in the U.S. and the need to regularly transfer data to and from the EU. We have written about the safe harbor option in an earlier blog. The increased sensitivity of the Europeans to the perceived US relaxed protection of personal data has caused the U.S. Federal Trade Commission to be more active in policing US companies who represent that they protect personal data transferred from the EU.
Until now, EU citizens have had little luck enforcing EU law in U.S. courts.
The revelations about the monitoring and collection personal data on Europeans by the U.S. government has enhanced the concern of the EU and led to political controversy. At the same time, however, the EU recognizes the need to share personal data with the U.S. for the purposes of prevention of crime and terrorism. In an effort to provide some structure around this collection of personal data, the U.S. and the EU began negotiating a treaty in 2011. On Sept. 8, 2015, the US and EU announced that they finalized an “Umbrella Agreement” establishing a data protection framework for EU-US law enforcement cooperation. The Umbrella Agreement is subject to approval of U.S. Congress as well as the European Parliament and Council.
The Agreement allows data to be transferred between EU and US law enforcement authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism. Any onward transfer of personal data outside the U.S. or EU is subject to the prior consent of the competent authority of the country which had originally transferred personal data. For multinational companies, these limitations will not be new as they are already enshrined in the EU Data Privacy Directive. What is new, however, is the obligation of the U.S. and the EU to extend equal treatment to the citizens of the other jurisdiction. That means, for example, that EU citizens will have the right to enforce data protection rights in U.S. courts even if they are not residing in the U.S. Until now, EU citizens have had little luck enforcing EU law in U.S. courts. As such, this new development represents another liability exposure for U.S. companies which should be addressed in their compliance procedures and policies.