U.S. companies with European subsidiaries are likely to encounter data protection difficulties when requesting personal information from Europe. As European regulators can impose financial penalties against companies which fail to comply with European data protection requirements, it is important for U.S. executives to understand these requirements.
Companies need the consent of their employees or customers to “process” personal data about them. Personal data will include information that can identify the person, e.g., name, email address, personal description, etc. This consent may be implicit in the working relationship, or specific consent may be included in the terms of business or employment contract. Alternatively, the company may be able to rely on an exemption, e.g., to comply with its legal obligations.
Companies also must obtain their customers' or employees' express consent to transfer their data to the U.S. This is because the European Commission (EC) has deemed the U.S. to have “inadequate” data protection rules.
A company based in the U.S. can use the EC-approved “model clauses,” which set out protections for the employees or customers and require the organization to comply with its European subsidiary's data protection laws. Also, the U.S.-based business must register with the Department of Commerce's safe harbor, remembering that it has to comply with and self-certify this compliance with safe harbor principles annually. Alternatively, they must agree to binding corporate rules with the European data protection regulator. This allows the transfer of data from all of its subsidiaries located in Europe.
In addition, for some European Union (EU) members – e.g., France, Germany and Italy – that nation's data protection regulator or the employee representatives must also consent to the transfer of data to the U.S. regardless of the approach taken by the U.S. company.
Pulina Whitaker is a partner and head of King & Spalding's employment and benefits practice in London.