EU privacy regulations' impact on information governance.

• Author: Schoch, Teresa Pritchard

Two recent European Union (EU) privacy actions--The General Data Protection Regulation and the invalidation of the U.S. Safe Harbor Framework--as well its ruling about EU citizens' "right to be forgotten," are changing the way organizations in other countries must govern the personal information of EU citizens. These actions also may be providing the urgency required for some organizations to initiate or improve information governance (IG) programs, bringing IG to the forefront of organizational strategy.

The recent swift passage of the European Union (EU) General Data Protection Regulation (GDPR) a comprehensive update of its 1995 Data Protection Directive--and the October 2015 EU invalidation of the U.S. Safe Harbor Agreement, which had allowed U.S. companies to self-certify that they provide adequate protection for personal data transferred to them from other countries, have U.S. organizations scrambling to determine what this means for the way they govern EU citizens' personal information.

The following provides information about the new GDPR and the Safe Harbor Agreement invalidation that will help readers determine their course.

The GDPR

The GDPR's chief effects on U.S. organizations are that it:

* Applies to EU citizens' personal data, regardless of where it is collected, stored, or processed--whether inside or outside of the EU

* Requires that data subjects give explicit, informed consent before their data may be processed * Defines personally identifiable information (PII) as any information that if combined with another available piece of information would allow an individual to be identified

* Requires organizations to notify those whose data has been breached within 24 hours of the breach For more details about the GDPR, see the sidebar "Major Provisions of the EU General Data Protection Regulation."

The U.S. Safe Harbor Framework

The EU invalidation of the Safe Harbor Agreement, whose seven principles for handling EU citizens' PII in accordance with EU law were developed by the EU in an agreement with the U.S. Department of Commerce, was based on the U.S. government's ability to access private data in the United States without any recourse available to EU citizens.

It held that an EU citizen has a right to bring action against a U.S. company if he or she believes that his or her privacy is being jeopardized, regardless of that organization's certification under Safe Harbor. (See the seven principles of the Safe Harbor Agreement in the sidebar "The U.S. Safe Harbor Framework.")

On October 16, 2015, the EU's Article 29 Working Party, which includes representatives from all EU Data Protection Authorities, released its guidance on the judgment of the European Court of Justice indicating that enforcement against U.S. companies will start at the end of January 2016.

On October 20, 2015, the fallout from the EU's decision continued, as Israel announced that it also considers the Safe Harbor Framework invalid for future data transfers. Other nations will likely follow suit, as Europe has seemingly established itself as the global leader in defining privacy rights of the individual.

Impact on U.S. Data Laws

While some U.S. federal statutes address private information--for example, the Privacy Act of 1974 (5 U.S.C. [section]552a), the Gramm-Leach-Bliley Act (15 U.S.C. [section][section]68016809), the Fair Credit Reporting Act (15 U.S.C. [section]1681 et seq.), and the Children's Online Privacy Protection Act (15 U.S.C. [section][section]6501-6506)--the U.S. federal government has not yet approached the issue of individual privacy in the electronic age at the same intensity as the EU. Instead, U.S...