Cybersecurity and data privacy are vital issues that business owners need to understand. Many Northern California businesses rely on the availability of customer data for their business operations. State and federal cybersecurity and privacy laws require businesses to take various steps to safeguard certain types of customer information. Businesses that have an international presence must also abide by certain international treaties and the laws of some foreign countries. Since 2015, the U.S. and the European Union (E.U.) have attempted to develop a framework that allows U.S. companies to transmit customer information from Europe, while protecting European consumers’ privacy. They agreed on a framework known as the “EU-US Privacy Shield” in 2016. A recent ruling from an Irish court, however, could significantly alter the flow of information from European consumers to U.S. businesses.
The Privacy Act of 1974, 5 U.S.C. § 552a, regulates the U.S. government’s use of information commonly known as “personally identifiable information” (PII). This includes names, addresses, Social Security and other identification numbers, and other information that can be used to identify a specific individual. The applicability of these protections to people outside the United States remains uncertain. Congress expanded the scope of the Privacy Act to include nationals of designated foreign countries in the Judicial Redress Act of 2015. Pub. L. 114-126, 130 Stat. 282 (Feb. 24, 2016). The White House, however, has directed federal agencies to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act.” Exec. Order 13768, 82 Fed. Reg. 8799, 8802 (Jan. 30, 2017).
The U.S. and the E.U. developed a framework known as the International Safe Harbor Privacy Principles to address the handling of PII by private companies across national borders. The European Court of Justice (ECJ) ruled in 2000 that these principles were consistent with the E.U.’s Data Protection Directive, Directive 95/46/EC, which was in force at the time. The rise of social media, however, led to a complaint in 2014 from an Austrian citizen who was concerned about PII held by the social media company Facebook at its subsidiary facility in Ireland. Rather than concerns about identity theft, the complainant alleged that information submitted to Facebook would be subject to surveillance by the U.S. government.
The ECJ struck down the Safe Harbor Principles in 2015, in part because the U.S. government could “have access on a mass and undifferentiated basis to personal data of the population living in the territory of the European Union.” Schrems v. Data Protection Comm’r, Case C-362/14 at ¶ 45 (ECJ, 23 Sep 2015). The following year, the E.U. approved a new framework, known as the EU-US Privacy Shield. Privacy advocates have challenged this framework as well, leading to proceedings in the Irish court system. In April 2018, the Irish High Court sent the ECJ a series of questions about the Privacy Shield’s ability to protect European citizens against surveillance by the American government. The ECJ may rule, once again, that the U.S. and the E.U. must develop a new security framework. California businesses, meanwhile, must wait.
For over forty years, business and commercial attorney James G. Schwartz has advocated for the rights and interests of Bay Area businesses and business owners, assisting them in both litigation and transactional matters. Please contact us at (925) 463-1073 or online today to schedule an initial confidential consultation with a member of our team.
More Blog Posts:
Cybersecurity Obligations of California Businesses, Pleasanton Business & Commercial Law Blog, October 3, 2017
Ninth Circuit Rules in Favor of Video-Rental Company in Lawsuit Alleging Violations of California Privacy Law, Pleasanton Business & Commercial Law Blog, July 31, 2014
Liability for Cybersecurity Breaches Still Uncertain for Many Businesses, Pleasanton Business & Commercial Law Blog, June 30, 2014