In a recent post on the Massachusetts security breach legislation, I explained that the law is applicable to anyone who has control of the personal information of a Massachusetts resident. This would apply to a "person" (used broadly to include individuals and non-individuals) located anywhere, whether within the U.S. or in another jurisdiction. If a security breach occurs that results in the disclosure of the personal information of a Massachusetts resident, the notification and other obligations under the Massachusetts law apply to the offshore company. Similarly, the European Union Privacy Directive 95-46 imposes restrictions on its members with respect to the transfer of personal data of the citizens of EU Member states. See Directive here . Further, each of the member states has enacted privacy legislation following the template provided by the EU Privacy Directive, and in some cases imposing even stricter or more detailed privacy protection requirements that must be adhered to before the data can be transferred out of the EU to another jurisdiction. Essentially, the country into which the data will be transferred must offer "adequate protection." Since the US has not received the "adequate protection" designation from the EU, a US company wishing to effectuate the transfer of personal information from an affiliate or third party service provider located in the EU has several options for meeting the requirements of the EU Privacy Directive and avoiding the fines that can be assessed against violators, including Safe Harbor certification, binding corporate rules, and accepting contractual obligations.
It would appear that the two sides of the Atlantic have yet another difference in their respective approaches to consumer data privacy: the EU countries are focused on preventing data privacy breaches by imposing protective requirements and by limiting cross-border transfer of personal data. On the other hand, the vast majority of US states have faced the inevitability of data security breaches, and have focused on notification requirements and identity theft preventive measures. Meanwhile, reports of data security breaches continue to make headlines on both continents, and there appears to be no end in sight.