Cybersecurity and data privacy are vital issues that business owners need to understand. Many Northern California businesses rely on the availability of customer data for their business operations. State and federal cybersecurity and privacy laws require businesses to take various steps to safeguard certain types of customer information. Businesses that have an international presence must also abide by certain international treaties and the laws of some foreign countries. Since 2015, the U.S. and the European Union (E.U.) have attempted to develop a framework that allows U.S. companies to transmit customer information from Europe, while protecting European consumers’ privacy. They agreed on a framework known as the “EU-US Privacy Shield” in 2016. A recent ruling from an Irish court, however, could significantly alter the flow of information from European consumers to U.S. businesses.
The Privacy Act of 1974, 5 U.S.C. § 552a, regulates the U.S. government’s use of information commonly known as “personally identifiable information” (PII). This includes names, addresses, Social Security and other identification numbers, and other information that can be used to identify a specific individual. The applicability of these protections to people outside the United States remains uncertain. Congress expanded the scope of the Privacy Act to include nationals of designated foreign countries in the Judicial Redress Act of 2015. Pub. L. 114-126, 130 Stat. 282 (Feb. 24, 2016). The White House, however, has directed federal agencies to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act.” Exec. Order 13768, 82 Fed. Reg. 8799, 8802 (Jan. 30, 2017).
The U.S. and the E.U. developed a framework known as the International Safe Harbor Privacy Principles to address the handling of PII by private companies across national borders. The European Court of Justice (ECJ) ruled in 2000 that these principles were consistent with the E.U.’s Data Protection Directive, Directive 95/46/EC, which was in force at the time. The rise of social media, however, led to a complaint in 2014 from an Austrian citizen who was concerned about PII held by the social media company Facebook at its subsidiary facility in Ireland. Rather than concerns about identity theft, the complainant alleged that information submitted to Facebook would be subject to surveillance by the U.S. government.