Editor's note: This post was authored by Logikcull contributor Eric Pesale, a soon-to-be attorney who recently graduated from the New York Law School. Eric writes regularly for the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at email@example.com or on Twitter at @ericpesale.
A new Transatlantic data privacy regime will go far in shaping how organizations and law firms with a U.S. presence handle the large amounts of data they possess, including information involved in e-discovery and cross-border disputes. For attorneys, vendors and others with global practices, it will directly impact day-to-day business operations and litigation approaches, and open the door to harsh penalties for non-compliance to those who voluntarily agree to its terms. The EU-U.S. Privacy Shield, as it is known, will also directly impinge on more than $260 billion in Transatlantic digital services transactions.
The Privacy Shield, which replaces the now-defunct U.S.-EU Safe Harbor Framework, was adopted by the EU and its executive body, the European Commission, in July. The U.S. Department of Commerce, the overseeing American authority, began allowing U.S.-based organizations to opt in shortly thereafter. The Privacy Shield’s goals and principles -- namely, to give organizations on both sides of the Atlantic an acceptable legal mechanism for transferring personal data of EU citizens for the purposes of Transatlantic trade -- are similar to those of its predecessor. But the new regulations are said to impose harsher sanctions regarding noncompliance and illicit sharing of information with third parties, and will also introduce a new arbitration procedure for EU citizens. For law firms and other providers who must handle cross-border exchanges of information in the context of discovery, the Privacy Shield adds a tricky evidentiary obstacle that must be carefully maneuvered.
The move to put in place a more robust Transatlantic privacy framework was set in motion last year when an Austrian Facebook user alleged that information he posted to Facebook's affiliate in Ireland, which was subsequently collected by Facebook in the U.S., was not sufficiently protected in light of Edward Snowden's revelations regarding NSA spying.
What the EU-US Privacy Shield Entails for American Businesses and Law Firms
The main aim of the Privacy Shield is to hold American companies to more stringent data privacy standards fostered by the European Union when they receive the private data of EU nationals. Unlike in the United States, where data privacy is governed by industry-specific regulation, federal and state legislation and statutes, and self-oversight, data privacy regulations in the European Union are centrally codified under Directive 95/46/EC ("the Directive") and the more recently-adopted Regulation (EU) 2016/679 ( "the Regulation," which will replace the Directive on May 25, 2018).
The Directive currently prohibits any international transfer of EU member data that does not adhere to national data protection laws set by the EU’s data controller. The more stringent Regulation, however, will mandate a number of data privacy regulations that aren’t currently available in the United States, such as permitting so-called “right to be forgotten” requests (See e.g. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González).
Therefore, organizations transacting business in the European Union would need to meet the EU’s lofty data privacy compliance regulations so they can collect, process and use the private data of EU nationals. For parties and their counsel dealing with Transatlantic legal disputes -- a routine occurrence in the global economy -- this is where the rubber hits the road.
Given the virtual impossibility of American firms -- which are subject to a loose and often conflicting hodgepodge of privacy requirements in the U.S. -- to comply with existing EU privacy laws, the U.S. government and the European Commission collaborated on developing a set of data privacy principles and regulations that American businesses could opt into in order to receive and process the private data of EU citizens.
By opting into these regulations through the U.S. Department of Commerce, organizations qualify to receive and process private data under the Privacy Shield standards, but also subject themselves to regulation and enforcement of the Privacy Shield's provisions by the Federal Trade Commission and Department of Transportation.
To qualify for self-certification, a business must:
- Subject itself to the investigatory and enforcement powers of the FTC, Department of Transportation or other statutory body tasked with enforcing the Privacy Shield;
- Publicly declare its commitment to the Privacy Shield principles;
- Publicly disclose its privacy policies; and
- Fully implement the Privacy Shield's principles.
A Seven-Step Program
In all, the Privacy Shield requires companies to incorporate the following seven data privacy principles into their day-to-day operations:
Notice – Organizations are required to clearly publish and communicate information regarding their participation in the Privacy Shield. This includes:
- Providing citation to a list of Privacy Shield-compliant companies,
- Highlighting which types of personal data are collected,
- Describing how to best contact the organization in the U.S. or EU about data privacy issues and complaints, and,
- Clearly outlining the organization’s liability with respect to sharing information with third parties, as well as the individual’s right to invoke binding arbitration.
Choice – Organizations need to offer individuals a clear opportunity to opt out of having their personal information disclosed to third parties, or be used for purposes materially different than that for which the information was originally intended. This principle also requires organizations to enter into contracts with any third-party agents handling the organization’s EU citizen data -- such as law firms or vendors. Furthermore, organizations need to give EU users an opportunity to affirmatively consent to use of their “sensitive information,” such as medical or health conditions, racial or ethnic origin, political opinions, trade union membership, and sexual orientation.
Accountability for Onward Transfer – Organizations are required to enter into contracts with third-party data controllers tasked with ensuring private data is used appropriately. These third-party handlers must also maintain the same level of data privacy protections levied on Privacy Shield-certified organizations. Any third-party recipient of EU personal data that can't meet Privacy Shield standards must notify the Privacy Shield-compliant organization and immediately cease processing.
Security – Organizations that create, maintain, use or disseminate personal information need to take reasonable and appropriate measures to protect the data from loss, misuse and unauthorized access, disclosure, alteration, and destruction. This includes protecting data from ordinary risks inherent in day-to-day private data processing.
Data Integrity & Purpose Limitation – This principle restricts organizations to only using private data provided to them for the purposes granted by EU users. It also gives organizations permission to organize private data in a way that helps them identify users individually.
Access – This principle requires organizations to give users the ability to access, amend, and delete stored data if the burden or expense of providing access is not proportional to the associated privacy risks, or where rights of persons other than the individual would be violated.
Recourse, Enforcement & Liability – This principle requires organizations to provide “robust mechanisms” for ensuring compliance, such as (a) recourse mechanisms users can exercise at no cost and (b) subjection to rigorous sanctions that ensure organizations are acting in compliance with Privacy Shield principles. It also holds Privacy Shield organizations liable for any acts conducted by third parties that receive EU citizen data from them, and requires organizations to arbitrate claims consistent with the Privacy Shield’s new arbitration procedure.
(The Privacy Shield also contains 16 supplemental principles that cover topics such as exceptions to stated principles, auditing, and compliance verification requirements.)
Notable Compliance Considerations for Attorneys and Multinational Businesses
The Privacy Shield presents a number of compliance-related challenges for law firms with a Transatlantic presence and lawyers representing businesses that receive and store private data. For instance, any businesses under the jurisdictions of the FTC or Department of Transportation can be subject to penalties for Privacy Shield violations. Civil penalties can result in up to $40,000 per violation or $40,000 per day for continuing violations. A misrepresentation made by a Privacy Shield-certified organization can also draw fines or jail time under the False Statements Act.
While the damages for non-compliance are clear, the steps organizations must take to steer clear of those penalties are not. The Privacy Shield principle states that organizations need to adopt “robust mechanisms," but does not specify what kind of programs would be sufficient.
According to privacyshield.gov, the U.S. government’s official website, organizations and firms can meet the Recourse, Enforcement, and Liability principle by:
- Complying with a private sector-developed program that incorporates and satisfies the Privacy Shield Principles
- Conducting a self-assessment that provides for dispute resolution, remedies and verification; or
- Issuing a commitment to cooperate with EU data protection authorities.
Again, the specifics of "how" are unclear. Firms and organizations that find themselves in the crosshairs of this new privacy regime should consult the appropriate authorities and counsel, and be well-versed in the new arbitration procedures that privacy-weary individuals will surely invoke.