Local clients doing business in the EU have had a difficult time addressing privacy as of late, but that is [allegedly] all about to change. On Friday, March 25, 2022 the US and EU announced they have reached a new trans-Atlantic data flow agreement. Such an agreement comes in the wake of the invalidation of the Privacy Shield.
For Roberts Law’s business GCaaS and business clients – Why is this important?
American businesses doing business in Europe generally[1] have to abide by one of the world’s strictest sets of rules for personal data protection, the General Data Protection Regulation (“GDPR”). The GDPR has specific requirements regarding the transfer of data out of the EU, including those transfers must only happen to countries deemed as having adequate data protection laws. The US, regrettably, is not included in the EU’s list of countries meeting this requirement. As such, the recent history of EU-US data flows has been a legal struggle. Past workarounds have included a Safe Harbor framework (invalidated in 2015) and Privacy Shield (invalidated 2020). As such, US companies doing business for the past two years have been operating in a gray area concerning privacy compliance. This March 25th announcement of a new trans-Atlantic data flow agreement gives hope of certainty for our clients when it comes to privacy recommendations.
Next Steps
News of this new trans-Atlantic data flow agreement in principle is so new that we do not yet even have a name for the agreement, let alone vision into the business requirements it will entail. As such, we are in a bit of a “wait and see” holding pattern. We’ll report back to our GCaaS and business clients as terms of this new agreement are made available.
#Privacy #PrivacyLaw #GDPR #GCaaS #BusinessLaw
[1] I note “generally” as there is some nuance. Unlike industry-specific US compliance regulations (for example, HIPAA), the GDPR is a general data privacy regulation that applies to all organizations that store or process the personal data of EU residents. The nuance comes from Recital 23, which provides that foreign companies are required to comply with the GDPR only if they “target” EU residents with their marketing. Such “targeting criterion” requires case-by-case analysis, but areas to look at include whether a business processes the data of EU residents regularly, the types of personal data being processed (are special data categories including health status, racial or ethnic origins, sexual orientation, or religious beliefs being processed?) and the rights and freedoms of those data subjects that may be at risk.
By: Josh Roberts
(941) 315-4058
Josh Roberts is a business and litigation attorney at Roberts Law, PLLC with over a decade of BigLaw and in-house experience assisting business and business owners to navigate contracts, privacy concerns, negotiations, and dispute resolution.
Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only and may not reflect the current law in your jurisdiction or the jurisdiction applicable to your issue/matter. No information contained in this post should be construed as legal advice from Roberts Law, PLLC or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.