Photo of Susan Foster

Susan Foster is a Member in the Corporate & Securities Section, practicing in the firm’s London office. She works with clients primarily on data protection, licensing, collaborations, and commercial matters in the fields of clean tech, high tech, mobile media, and life sciences. She has represented a broad range of clients from start-up companies to international industry leaders and has significant experience with cross-border transactions. She is qualified in England and Wales as well as California, and has experience practicing law in both the United States and the United Kingdom.

Follow: Susan's Twitter Profile

For the past few months, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week, we’ll present a webinar examining the criteria that determines whether or not your organization needs to appoint a Data Protection Officer. We will discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position. Make sure to join us for this important webinar!

Registration link is here.

 

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

The Article 29 Working Party (WP29) has released a brief updated statement on the final form of the Privacy Shield adequacy decision and supporting annexes.  WP29 is an important advisory group made up of representatives of each of the EU’s national data protection authorities.   In a nutshell, WP29 has said that Privacy Shield isn’t perfect, but it will wait until the first annual review to raise specific objections, which gives the Privacy Shield program enough time to get up and running.  The WP29 statement promises  that, during the first annual review of Privacy Shield, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”  WP29 goes on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

While WP29’s statement has been interpreted by at least one legal news source as a one-year moratorium on Privacy Shield litigation,  that seems rather unlikely.  The WP29 does not have  the legal power to deprive any EU data subject of his or her right to challenge Privacy Shield on human rights grounds, or to materially delay such a challenge.  If a national DPA refused to hear a complaint on the basis of the putative WP29 moratorium, the national courts would most likely find against the DPA.

A more modest — and realistic- – interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year.  Instead, they will leave that to Max Schrems and other individuals who remain skeptical of the EU-US privacy deal.

The EU Commission has formally adopted Privacy Shield and the US Department of Commerce will go live with a new Privacy Shield registration website on August 1.  US companies that had been registered under Safe Harbor will need to complete a new internal review, self-certification and registration to take advantage of Privacy Shield.

Much of the negotiation of Privacy Shield has focused on enforcement and oversight of the program by US authorities (as well as on the US intelligence agencies’ own collection and use of EU personal data).  Companies that are already familiar with Safe Harbor will find Privacy Shield’s general privacy principles to be very similar.  However, companies will want to take note of the more stringent conditions for onward transfers to third parties, which are likely to require companies to review their contracts with service providers and business partners.  Companies will also need to scrutinize their data retention practices carefully.  Overall, annual data protection reviews will be necessary as part of continued self-certification. The Department of Commerce is expected to take a more active role in proactively monitoring compliance, so companies will need to be prepared for inspections even if no complaints have been made.

The final version of Privacy Shield and its appendices, along with a press release and FAQ, are available here.

 

The final version of Privacy Shield (which has not yet been officially published) passed the Article 31 Committee vote on July 8th and is being presented today to the LIBE committee of the European Parliament.  LIBE’s vote is advisory, but it may provide some early indications as to how well Privacy Shield will survive anticipated legal attacks once it is formally adopted and implemented.

Formal adoption of Privacy Shield is widely expected to happen this week.  Once that happens, the US Department of Commerce or FTC  should publish the final text and start processing registrations.  Companies considering certifying under Privacy Shield should note that it requires a greater degree of internal scrutiny and documentation than Safe Harbor did.

Companies that have put standard clauses in place following the demise of Safe Harbor will want to consider the pros and cons of participating in Privacy Shield rather than continuing to rely on the standard clauses.  Neither approach is guaranteed to be risk-free: The standard clauses have been sent to the Court of Justice of the EU for review under the second round of the Schrems case in Ireland, and Privacy Shield is virtually certain to end up before the Court of Justice at some point within the next year or two.

According to several news reports, the Commission has sent a revised draft of the Privacy Shield adequacy decision to the Article 31 Committee.  One tech industry news source, Ars Technica, has made available a purportedly leaked draft of the version of Privacy Shield that is being reviewed by the Article 31 Committee.  The Commission has reportedly asked  the Committee to vote to adopt Privacy Shield on Monday.  Whether or not the Article 31 Committee will act swiftly remains to be seen, but we expect further news early next week.

 

US companies and policy makers will no doubt spend a good chunk of the day today considering the possible implications for them of yesterday’s UK vote for Brexit.  Mark Carney, Governor of the Bank of England, has issued a statement to calm the markets.  I will content myself with a much more modest statement to calm US companies who have been working hard to fill in the gap left by the demise of Safe Harbor and to prepare for the implementation of the GDPR in May 2018:  Brexit will have very little, if any, impact on the UK’s approach to data protection laws, at least in the medium term (say the next five years or so).

Why is that?  First and foremost, the UK has no interest in doing anything that would impede the flow of personal data between the UK and the rest of Europe.  The GDPR, like the current laws under the Data Protection Directive, provides a pathway of least resistance for data transfers: If a country’s laws “ensure[ ] an adequate level of protection” for the personal data, the Commission can issue an adequacy decision to allow data transfers to that country (without the need for model clauses or BCRs).  The most straightforward way for the UK to get an adequacy decision is to adopt and implement the GDPR (or at least all of the material parts of the GDPR) as part of its national legislation.

Second, of all the things that the UK will need to negotiate with the EU over the coming years, any quibbles that the UK may have about data protection legislation is likely to be low on the list, far behind passporting of banking services and new immigration arrangements.   The UK did have some concerns about the GDPR, as communicated by the ICO in its initial comments on the Commission’s early draft of the GDPR.  However, none of them were deal-breakers for the UK.

Third, as a practical matter, UK companies that are part of international corporate groups with a European presence would probably not make it a priority to push hard for UK legislation that eases their burden under UK law, while they still have to comply, in effect, with the GDPR with respect to their European operations (both of their affiliates and with regard to UK companies’ own sales into Europe).

Looking past the medium term, how might the UK’s approach change later on, once the key Brexit negotiations are finished?  The ICO did say a couple of weeks ago at a conference that it would consider other approaches, such as the data protection frameworks used in New Zealand or Australia, that meet EU adequacy requirements.  However, all of those existing frameworks will need to be reviewed again against the GDPR in order to keep their adequacy decisions in place, so those legal frameworks may look a lot more like the GDPR within a couple of years.

So until the ICO tells us otherwise, US companies working on preparing for the implementation of the GDPR should continue with that work even if their primary EU activities are only in the UK.  (And don’t forget that the actual exit is not taking place immediately.)

While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month.  The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US.  (The European Parliament has also criticized Privacy Shield.)  Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department.  And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.

If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for  formal adoption.  If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed.  Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).

News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is.  In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.

And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.

PS – for those who’ve been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.

 

In this edition of the “Innocents Abroad” series, Susan Foster discusses the privacy considerations that come into play when an employee loses a laptop containing customer data abroad!

 

From: Ned Help

To: Carrie Counselor

Subject:  Lost laptop containing European customer information

Carrie,

A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities. The employee was Abbie Absent-Minded.  Well, we hit a snag pretty quickly.  Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found.  It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it.  Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product.  She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.

I assume that we should tell our prospective client that the laptop with their customer data was lost.  What else do we need to think about?

Thanks,

Ned


 

Continue Reading Innocents Abroad: Lost laptop with customer data

We now have a precise date for the European Union’s General Data Protection Regulation to go into effect: May 25, 2018.  The official version has been published and is available here.  The GDPR, in its official published version, contains 87 densely-packed pages of recitals and articles, and many new and expanded obligations for both “controllers” and “processors” of personal data.  Many companies will need the full two years’ lead time to bring their operations and contracts into compliance.  (Read our bullet point summary here.)