EU

US relations with the European Union took another hit last week, when the European Parliament voted to suspend Privacy Shield, the agreement between the US and the EU that allows companies to transfer the personal information of EU citizens out of the EU to US companies that have promised to adhere to the General Data Protection Regulation (“GDPR”). Between the Facebook-Cambridge Analytica scandal, the passage of the CLOUD Act and the Russian hack (sorry – alleged Russian hack) of the 2016 election, the EP felt that Privacy Shield did not provide an adequate level of protection for EU citizens. The US has until September 1 to become compliant.

St. Louis was named after Louis IX (born in 1214!), hosted a World Fair (technically, the 1904 Louisiana Purchase Exposition), the fleur-de-lis is ubiquitous, and we love soccer and football, although we have neither major league football nor soccer teams (St. Louis FC, our USL minor league soccer team, has a crest which features, you guessed it, a fleur-de-lis). However, St. Louis is known as the “Gateway to the West” – directionally away from Europe. Every once in a while, St. Louisans, like the rest of America, need to heed to what is going on over the pond, particularly when it comes to privacy and data security developments. Below is a brief update on a few foreign issues to begin the New Year.

In the digital era, EU data protection law may apply to U.S.-based companies with significant consequences. The EU law generally prohibits the transfer of personal data from the EU to the U.S., unless the transfer is made in accordance with one of a very few of authorized data transfer mechanisms or otherwise falls within one of the its even fewer exceptions. This transfer restriction significantly impacts U.S. multinational companies’ everyday business activities, such as processing employees’ payroll data, as well as their ability to implement enterprise-wide initiatives, such as compiling internet marketing information.

The European Union and United States differ greatly on law regulating the collection and transfer of personal data. For many years companies could rely upon the U.S.–EU Safe Harbor to lawfully make transatlantic data transfers and bridge the gap between the differing privacy frameworks. But in October 2015, the EU Court of Justice invalidated the U.S.–EU Safe Harbor on the grounds that it did not adequately protect personal data. This ruling jeopardized the continued flow of data from the EU to the United States and left many companies wondering how they could continue collecting and using data from the EU without violating the law.