Data Compliance & Security

The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch).  The Commission claims that the Regulation is good for individuals and good for business.  We’ll leave that to readers . . . and history . . . .to decide.

As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.

 

 

As expected, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (also known as LIBE) voted today to adopt the new General Data Protection Regulation (see the summary we provided yesterday here).  A LIBE press release announced the vote with the proclamation “New EU rules on data protection put the citizen back in the driving seat.”  The vote was 48 for the GDPR, 4 against, and 4 abstentions.  The GDPR will go to a vote of the full EU Parliament in March or April of 2016.  It is expected to be passed based on LIBE’s endorsement.

Companies will have a grace period of two years to come into compliance, measured from the date that the GDPR is formally adopted and published in the Official Register.  That means that the key compliance date will probably fall in March or April of 2018.  Given the complexity of the 200 page Regulation and the likely need to audit and change business processes throughout organizations, we recommend starting the compliance review process immediately.

We will announce a series of webinars to drill down on specific topics under the GDPR early in the new year.

 

Updated at 8:50 pm GMT on 16 December 2015.

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15.  One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.  As much consternation as that will cause at the breakfast table, it’s really the least of our worries.

It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape.  This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation.  On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points

For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator.

  1. Fail to plan = plan to fail.
  2. Big problems first, small problems later (don’t let the perfect be the enemy of the good).Privacy & Security Matters Monday Blog Series Image
  3. The criticality of the tone at the top cannot be overstated.
  4. You cannot prevent idiocy, but you can train (and retrain, and retrain).
  5. Make good email practices your fight song (in both times of calm, and times of crisis).
  6. Say what you mean and mean what you say (avoid good policies with poor follow-through; don’t set standards that you can’t meet).
  7. Avoid inconsistencies wherever possible.
  8. Know what your peers are doing (and if you aren’t doing the same thing, document why not).
  9. If you have a close call, document your decision and carefully consider whether you want privilege to apply or not (and why not).
  10. Think about your “story” in slow motion being played on a movie screen (or in excruciating detail on the front page of the Wall Street Journal).

H/T to Mintz’s Meredith Leary for these.   For more on these 10 easy steps and a replay of our Halloween-themed October Privacy Webinar, “Tricks, But No Treats:  A Halloween Visit to the Frightening World of Data Security Litigation,”  check out this link to the recording.

The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor.  Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.

As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses.  LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers

 

As I reported earlier today, the Court of Justice of the EU (ECJ) has declared Safe Harbor invalid.  The full decision is now available online  in English here (other languages also available at curia.europa.eu by searching on C-362/14).

There are two key elements of the ECJ’s decision.  The first is that national data protection authorities in the EEA are authorized – indeed, required – to hear complaints from individuals with regard to the transfer of their personal data outside of the EEA regardless of whether the Commission has issued an adequacy decision.  The second is a determination that the Commission’s adequacy decision concerning Safe Harbor is invalid.  Period.  It’s gone.

Most US companies that rely solely on Safe Harbor will initially focus on the second part of the decision invalidating Safe Harbor.  That makes sense, because if Safe Harbor is your company’s only basis for legitimizing the transfer of personal data from the EEA to the US, your company is likely in violation of various contracts and, if your company is the data controller responsible for the transfer or otherwise directly subject to European data protection laws, it’s probably in violation of European data protection laws.  Near-term consequences?  The possibilities include:

  • termination of contracts and exposure to damages
  • customer complaints to your company
  • customer complaints against your company made to local Data Protection Authorities (DPAs)
  • employee complaints (although rather less likely than customer complaints)
  • loss of potential new business in Europe
  • orders and injunctions issued by DPAs that force your company to stop transferring personal data
  • (and no doubt you can add your own parade of horribles here . . . such as lost time of your General Counsel, your head of IT systems, head of consumer services and other senior executives, possibly a need for extensive data audits, and so on)

The invalidation of Safe Harbor in the blink of an eye (even if the case was pending over a year) requires urgent action.  But we should also be concerned about the first part of the ECJ’s decision, to the effect that local DPAs will always have the right and obligation to hear complaints from individuals even if the Commission has issued an adequacy decision.  We should care about this because for nearly two years, EU and US bureaucrats have been trying to negotiate a more robust Safe Harbor.  Let’s call that Safe Harbor II.

A few days ago, some commentators suggested that Safe Harbor II would save Safe Harbor-dependent companies because it would remedy the faults that the ECJ might find with the original Safe Harbor.  But now we know that even if the Commission endorses a Safe Harbor II, it can be attacked on a country-by-country basis.  Furthermore, the ECJ has effectively raised the bar for Safe Harbor II – in future judicial assessments of Commission decisions, the ECJ will take a strict approach to reviewing such decisions (see Para. 78 of Schrems).   To achieve a Safe Harbor II that meets the ECJ’s stringent requirements, the Commission will, effectively, need to “ensure” that the US’s national security laws don’t allow the gathering of data beyond that strictly necessary to achieve their objectives (that is, objectives that the ECJ thinks are legitimate) and contain adequate safeguards for EEA individuals.  Taken in its strongest form, this could include a right to know their data has been processed by intelligence services, a right to find out what data has been gathered about them, and a right to have incorrect or incomplete data rectified (see Para. 90 of Schrems), all of which would be, to say the least, in tension with the fundamentals of intelligence work.

In a nutshell, we may not get a Safe Harbor II any time soon, and if we do, we won’t be able to rely on it (not with any real confidence) until it’s been challenged through national DPAs, then the national courts, then referred to the ECJ – and we finally have an ECJ decision upholding it.  In other words, Safe Harbor II will be negotiated with a wary eye toward the inevitable ECJ chopping block.  As for what’s next on the chopping block, the Schrems opinion does nothing to settle concerns that model contract clauses and BCRs are vulnerable to attack on essentially the same basis as Safe Harbor.  Consent is looking better and better all the time – little surprise that Facebook Ireland has an express consent to transfers to the US and other countries built into its terms of use.

This all sounds a bit grim, doesn’t it?  There are alternatives to Safe Harbor (again, described in my earlier posts on this topic), although they have their own challenges.  Please tune in for our webinar on Wednesday, 7 October at 3 pm EDT for more discussion about steps you can take to comply with EU data protection laws in the new, post-Safe Harbor era.

 

UPDATE: Here’s a link to the English-language version of the ECJ’s full decision: Schrems Safe Harbor Decision

A press release issued by the Court of Justice of the EU (ECJ) regarding its decision in the Schrems Safe Harbor case (C-362/14) confirms that the ECJ has declared Safe Harbor invalid.  The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program.  We are awaiting publication of the decision and will report further after it becomes available.

In the meantime, here’s the background to this decision and some suggestions for what to do next if your company relies on Safe Harbor:

The European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection.  Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection.  The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.

Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.

If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible.  The primary options are:

  • Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid.  It’s also important to keep records of the consent in case there’s a challenge.
  • Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).  So while this is a longer term option, it won’t help if Safe Harbor is not available. Also, BCRs are vulnerable on the same grounds as Safe Harbor.
  • Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. However, see the cautions below.
  • In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office.

There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option:  BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU.  If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts (and UK adequacy determinations) would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.

 

Since the Snowden revelations, trouble has been brewing for the EU-US Safe Harbor program and companies which utilize this program to make transfers of personal information from the EU to the US legal under EU privacy laws. On October 6, the uncertainty generated last week by Advocate General Yves Bot’s opinion invalidating Safe Harbor will come to an end as the European Court of Justice (ECJ) will release its decision in the Schrems Safe Harbor case. It is highly unusual for the ECJ to issue a decision so quickly after publication of the Advocate General’s opinion on a case. However, the ECJ seems to be expediting its decision process. (See the Wall Street Journal’s summary of the usual process here.)

What will be the implications of this decision? How can you, as a company, navigate these waters?

Last week in this space, we advised companies who rely on Safe Harbor for their EEA-to-US data transfers to get a contingency plan in place without delay. This week, we are urging the same and providing this Emergency Webinar to better assist.

REGISTRATION IS NOW OPEN

 

 

The European Court of Justice (ECJ) has announced that it will release its decision in the Schrems Safe Harbor case on Tuesday, October 6.  It is highly unusual for the ECJ to issue a decision so quickly after publication of the Advocate General’s opinion on a case.  However, the ECJ seems to be expediting its decision process.  (See the Wall Street Journal’s summary of the usual process here.)

One way or another, the uncertainty generated last week by Advocate General Yves Bot’s opinion invalidating Safe Harbor will come to an end soon.  Last week we advised companies who rely on Safe Harbor for their EEA-to-US data transfers to get a contingency plan in place without delay.  Now, it’s urgent.

 

 

Does your company rely on Safe Harbor to transfer personal data from Europe to the US?  If so, it’s time to think about alternatives to Safe Harbor – and fast.

The European Union’s Data Protection Directive (1998) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection.  Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection.  The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.

Currently, over 4,000 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.  But in light of the opinion issued today by ECJ Advocate General Yves Bot in the Schrems case, there’s a very high risk that the Safe Harbor program will be invalidated by the European Court of Justice, which is the EU’s highest court.  The AG found that the Commission’s decision (made 15 years ago) that the US-EU Safe Harbor program offers an adequate level of protection to personal data of EU residents was invalid in light of what is now known (largely through Edward Snowden’s disclosures) about the transfer of personal information from companies such as Facebook Ireland to the NSA under the PRISM intelligence program.

The ECJ will issue its ruling on the Schrems case before the end of 2015, and possibly sooner.  The ECJ does not have to adopt the Advocate General’s opinion, but it usually does (with the Google Spain case being a notable exception).  All of this is against the backdrop of negotiations between the European Commission and the US government for reforms to the Safe Harbor program and its enforcement by the US.

So if your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it’s time to start considering other bases for the transfer.  The other options are:

  • Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid.  It’s also important to keep records of the consent in case there’s a challenge.
  • Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).  So while this is a longer term option, it won’t help if the ECJ invalidates Safe Harbor within the next few months.
  • Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data
  • In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office

However, there’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option:  BCRs and contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU.  If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.

The larger question of the international conflict between protecting privacy and enabling intelligence activities aimed at increasing the safety of the public (and, potentially, various other national interests) is a matter for the relevant governments to negotiate – but in the meantime, US companies that rely on Safe Harbor look to be stuck in a hard place.

Please contact Susan Foster or Cynthia Larose at Mintz Levin if you would like advice on steps to take to mitigate your company’s risks in light of the threat to the Safe Harbor program’s existence.