Be Careful in the EU European Union (EU) countries are extremely protective when it comes to data privacy and, therefore, US companies doing business in the EU must be extra careful if they collect online personal information from persons in the EU. However, there is a method for US companies to transfer personal data outside the European Union in a way that is consistent with the EU requirements. Specifically, a US company can self-certify to the US Department of Commerce that it complies with EU standards. Indeed, many businesses include a statement in their privacy policies making this claim. However, the FTC has aggressively gone after companies that claimed to be certified under the US – EU Safe Harbor Framework (or the US- Swiss Safe Harbor Framework), but were not actually certified. For example, on May 29, 2015, the FTC announced that it had approved Final Orders resolving the FTC’s complaints against TES Franchising, LLC and American International Mailing, Inc. when, in fact, their certifications had lapsed years earlier.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of Fish & Richardson P.C., any other of its lawyers, its clients, or any of its or their respective affiliates. This post is for general information purposes and is not intended to be and should not be taken as legal advice.