EU Raises the Data Privacy Bar for U.S. Firms

One man makes a difference.

Today the European Court of Justice voided the “Safe Harbor” agreement, which allows the personal data of European Union citizens into a U.S. firm if the firm pledges to adhere to EU standards. The agreement inhibits Europe’s regulators from intervening on behalf of EU citizens who feel their privacy is compromised. The court is also concerned about U.S. authorities’ “mass and indiscriminate surveillance.”

Since the U.S. standards are below that of the European Parliament and Council Directive 95/46/EC, they are probably right to be suspicious. Canada, India, South Korea, and others have modeled their newer data protection acts after the EU directive, not the United States. The United States has fallen behind. What the repeating data breach headlines are telling us is that true information security is not part of today’s reality. There’s much chatter in the papers on the impact to behemoth data collectors like Amazon.

But today, asset managers are scrambling as well! EU client personal data (both institutional and retail client) may be held within the asset manager’s data center and among myriad vendors that support the investment firm. Vendor risk teams evaluate third parties for standards and typically restrict as much as possible the amount of data exchanged with a vendor to that which is critical to get the job done. When possible, they will mask client names with numeric identifiers. During the onboarding process, contracts embed the language for EU Directive compliance, and vendors sign an addendum acknowledging adherence to EU standards. Some asset managers and vendors, of course, purposely maintain data centers in various regions to avoid the data transfer issue. Vendor risk teams are now culling through their vendor details to identify exposures for any potential compliance remediation and report them to the Board Risk Committees.

As reported by the Financial Times, the case stemmed from a complaint by 27-year-old Austrian law student Max Schrems, who took the Irish Data Protection Commissioner to court, arguing that the regulator had failed to protect him from U.S. spying and should suspend data transfers to the United States.

Maybe the folks in the United States will find their voices too. 

How can we help?

If you have a question specific to your industry, talk with an Aite Group analyst.  Call us today to learn about the benefits of becoming a client.

Talk to an Analyst

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within

Get Email Updates