For years, US companies experiencing litigation transferred data across borders, particularly from the European Union, relying on a framework of Safe Harbor, Model Corporate Rules and/or the procedures laid out in the Hague Convention of 1970. Over the last 5 years, the sleepy Safe Harbor, a US Department of Commerce program designed to safeguard European Protected Data, was being reviewed and updated by the EU’s Working Group 29.

Snowden Effect

Edward Snowden released PowerPoints that ripped the lid off the shocking extent to which governments around the world were engaging in wholesale bulk surveillance and routinely sharing personal information (Protected Data). Governmental bodies who tended to err on the side of protection of personal information were aghast. Frameworks worked out over the last few decades began to unravel, just as new frameworks were being discussed

The Snowden effect also called attention to what has been termed Surveillance Capitalism in an article by Shoshana Zuboff. Commercial companies holding, mining, selling and transferring personal data as part of their service, or business model also fell into the cross hairs of intelligence agencies, security and privacy advocates. With increasing awareness of the commercial and governmental surveillance, a tipping point occurred.

Schrems suit

An EU citizen, Max Schrems, filed suit to declare that, considering the surveillance, the Safe Harbor could not be considered Safe at any speed. Further, he asserted a claim that the EU did not have the power to deem it safe by blessing the US Department of Commerce’s Safe Harbor. With long odds, the case crept through the courts. Each additional shocking revelation from the Snowden cache sharpened the questions coming from the Schrems adjudicators. The case beat the odds, and a single EU citizen caused the downfall of a key business enabler for US companies handling EU data. The Safe Harbor is dead.

After a couple long months, the EU and US negotiated the Privacy Shield to address the shortcomings of the Safe Harbor.

How is the Privacy Shield different from the Safe Harbor?

The Safe Harbor framework did create rights and responsibilities around processing data containing protected data of EU citizens. However, in practice, there was little, if any enforcement for the self-certified status. The new Privacy Shield creates multiple enforcement mechanisms for the EU Data Protection Authorities (DPA’s) and multiple civil and administrative paths for remedies for the EU citizen. Consent requirements are expected to be higher, and there is an expectation that data will be secured.

Safe Harbor plus Enforcement equals Privacy Shield

Key provisions of the Privacy Shield, administered by the US Department of Commerce include:

  1. The right of an individual to bring a complaint directly to a Privacy Shield participating company.
  2. A requirement that Privacy Shield companies make available a free independent recourse mechanism.
  3. A mechanism for an individual to go to their country’s Data Protection Authority (DPA) to register a complaint, and a mechanism for the US Department of Commerce to make a best effort to resolve the complaint within 90 days.
  4. Federal Trade Commission (FTC) enforcement (multiple mechanisms)
  5. Individual, private causes of action in US State Courts.
  6. Binding arbitration at the request of the individual if complaints are not resolved.
  7. While still companies still self-certify, the Department of Commerce will spot check for compliance and name and shame laggards.
  8. As with HIPAA and PCI compliance, there is a requirement that service providers used by companies covered by the Privacy Shield also comply with the Privacy Shield regulations.
  9. Processing, whether by a company covered by the Privacy Shield or an onward transfer, must be for limited and specific purposes consistent with consent.

Next steps:

Representatives from the EU data protection authorities, including those from the Article 29 Working Party will evaluate the Privacy Shield. Simultaneous to the EU reviews, the US government will prepare to implement the Privacy Shield.

Top 3 Practice Points for eDiscovery

  1. Understand how the climate has changed, especially with regard to FTC enforcement and Department of Commerce monitoring
  2. Understand the EU data landscape. Where does the data reside? How important is it? Can it be phased or de-scoped? Do you need early negotiations or protective orders?
  3. Know the specific rules in the specific country. France is different from Germany is different from Switzerland. Consider an experienced attorney on the ground in country and service providers whose contracts demonstrate they adhere to Privacy Shield requirements.