4 minute read
How European Data Privacy Law May Impact Your Business in Southern Utah
LEGAL
How European Data Privacy Law May Impact Your Business in Southern Utah
Advertisement
By Tim Anderson and Rachel Naegeli
Let’s say you own a very cool dude ranch in the wilderness of southern Utah. Without question, your best source for customers are Europeans; you know how much they love a wild west experience. Amid the COVID crisis, your customers from the old country are not so plentiful. However, you still want to engage that market, so you locate a database of your visitors stretching back ten years and send them electronic brochures and updates via email. Maybe you start a blog, targeting your best potential customers in the EU. In turn, they respond by the thousands.They love your website and follow your blog. You are all ready to go as soon as the travel restrictions subside!
And then you get a letter from the European Data-Board informing you that you are in violation of the GDPR (General Data Privacy Regulation of the EU), and you could potentially be fined ten million dollars or 2 percent of your total world-wide revenue, whichever is greater, for illegally storing and processing personal information (a mere name, mailing or street address, email address, or phone number) of EU citizens within the EU states. You are in trouble for not being “GDPR compliant,” which, of all the things to worry about as a business person, is not at the top of your list. So what is going on in the EU that can impact your southern Utah business so directly?
Let’s turn the clock back to 2015. (Yes, it is hard to remember anything prior to 2020, so here’s a reminder of what was happening in the world of data privacy way back then.) The European Union has been regulating the transfer of its citizens’ data for decades. To inhibit efforts to get around EU data privacy laws by transferring personal data out of the EU, the European Commission established rules for international data transfers. For transfers to be legal, the data must be afforded the same level of protection guaranteed in the EU. In 2000, the European Commission determined that the United States data privacy principles were sufficient. This “Safe Harbor” decision allowed personal data to flow from the EU to the US. Along came Edward Snowden. Remember him? Snowden was a cyber intelligence consultant who leaked classified information that suggested US intelligence agencies could access individuals’ personal data stored in the US. While Americans disputed whether Snowden was a traitor or a hero, a different dispute began in Europe. There was a big international legal wrangle over safe transfer of personal information from the EU to the US, and the Safe Harbor decision was struck down.
In Utah, the response was mixed. Some organizations joined what was known as the EU-US Privacy Shield, which allowed companies to transfer data from the EU to the US under certain conditions. Some took the ostrich approach and pretended nothing had happened. Others used alternate methods—adopting what is called Binding Corporate Rules or implementing what is known as Standard Contractual Clauses (SCC)—to meet
Continued on Page 28
LEGAL
LEGAL
EU data transfer requirements. After an initial flurry of compliance activity, most Utah companies went back to business as usual until the next round of compliance erupted in 2018 when the EU General Data Protection Regulation (GDPR) came into force, prompting businesses to update their privacy notices.
On June 4, 2021, the European Commission published new SCCs, providing a new mechanism for transferring EU personal data in line with the GDPR. If your organization processes EU personal data, you need to understand and implement the new Standard Contractual Clauses.
The GDPR permits certain contractual clauses ensuring appropriate data protection safeguards to be used as a ground for data transfers from the EU to third countries. SCCs are essentially binding contracts governing data transfers that have been pre-approved by the European Commission. The new SCCs replace the previous versions, which can no longer be used for new agreements. The new SCCs must be incorporated into existing agreements by the end of 2022. The new SCCs establish measures that adequately protect personal data. Parties must guarantee that the data importer (i.e. your Utah-based small business) can fulfill its SCC obligations under the country’s laws where the importation occurs. There are many additional measures that must be met.
Many other countries, like China, Brazil, and others, have similar or very complex rules for transferring, processing, using, or keeping the personal information of their citizens. It is important to be aware of the information privacy rules as they emerge in this rapidly changing business environment in southern Utah, especially as we migrate to a much more comprehensive technology community. Utah companies, especially those with distributors or multi-level selling organizations, or any companies with a significant EU or other non-US consumer customer base or EU employees, should be very careful to understand and abide by these laws.
Timothy Burton Anderson has practiced law in the St. George, Utah, area for fortytwo years. He works in the St. George, Utah, office of the Salt Lake City-based firm Kirton McConkie. His areas of emphasis are commercial and recreational real estate, zoning and planning issues, public lands issues, and international commercial transactions for Utah-based companies primarily in Canada, Europe, and parts of Asia. tanderson@ kmclaw.com Rachel Naegeli is a member of Kirton McConkie’s international section. Her practice focuses on international transactional law and data privacy issues. She has a master’s degree in international affairs and is designated as one of the 2021 Utah Legal Elite in international law. rnaegeli@kmclaw.com.
