International Privacy: New Safe Harbor Requirements

Presented by Kevin Haley Brann & Isaacson

Outline• Background on European Developments

• Recent changes

• The legal landscape

• Practical takeaways

Background: the EU process• European Union Governance

▫ The EU issues “directives”

setting goals that all EU member states must achieve

▫ However, individual nations decide how to achieve them, through their own legislative process

▫ Thus, these goals can be implemented very differently from country to country – some might fail to implement altogether (“cookie directive”)

Background: EU privacy law• EU Data Protection

Directive (1998) ▫ Prohibits transfer of personal

data to non-EU countries that do not meet EU “adequacy” standards for privacy protection

• US/EU “Safe Harbor

Framework”: standard procedures whereby personal data could be transferred to the US

Background: safe harborComponents of the Safe Harbor Framework:

• Notice: must notify individuals about purpose of data collection

• Choice: must give individuals the choice of whether their personal information will be disclosed

• Onward Transfer: if transferring information to a third party, must follow the Notice and Choice principles

• Access: individuals must have access to their personal information, which can be amended, corrected or deleted

• Security: must take reasonable precautions to protect personal information

• Data Integrity: information collected must be relevant for the purposes for which it is to be used

• Enforcement: must be a readily available independent mechanism for resolving disputes.

Source: http://www.export.gov/safeharbor/eu/eg_main_018476.asp

Background: safe harbor (cont.)• The “Safe Harbor Decision” (2000)

▫ Decided that by meeting the

requirements of the Safe Harbor Framework, US companies adequately protected EU citizens’ data ▫ Allowed free flow of personal

information between all 28 EU countries and US companies in compliance with the Scheme

Recent Changes: Facebook lawsuit

• “Europe v. Facebook Lawsuit” ▫ Maximillian Schrems: Austrian

privacy activist ▫ Brought challenge to Safe Harbor

Decision in European court ▫ Based on US companies’ sharing

personal data with the US government

VS.

Recent Changes: safe harbor invalid

• European Court of Justice declares Safe Harbor Decision invalid (October 6, 2015)

• Cites Edward Snowden, finding that under the

framework agreement, the U.S. does not ensure adequate protection of fundamental privacy rights

• Companies can no longerrely on the Safe Harborcertification

Major Changes: uncertainty

• Extremely broad ruling: ▫ Unclear how US companies can meet EU privacy requirements ▫ Threatens suspending all transfer of data to non-EU countries that violate EU privacy

rights

• Uncertainty: ▫ Provides little to no guidance on compliance going forward

▫ Unclear what data transfer mechanisms are “adequate”

▫ Unclear what rules now apply to the ~4,400 companies operating under the Safe Harbor framework standards

Continuing Developments

• German data privacy authority (Schleswig-Holstein) issues position paper (10/14): ▫ Argues that after this decision, there is

effectively no mechanism for lawful transfer of data to the US

• EU working group issues statement

(10/19): ▫ “EU Model Contractual Clauses” and

“Binding Corporate Rules” can still be used to lawfully transfer data from the EU to the US

The Legal Landscape• Now, EU countries’

national authorities examine whether or not US companies are in compliance with EU directives

• Some countries might be friendlier than others

The Legal Landscape: reactions

Penny Pritzker, US Commerce Secretary: this ruling “puts at risk the thriving trans-Atlantic digital economy”

Facebook: “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor”

Differing Reactions on Impact to US Business

The Legal Landscape: enforcement• So, will the decision actually change much?

▫ What are most companies currently doing? (not much)

▫ What enforcement mechanisms exist?

▫ Who determines who is breaking the law?

▫ What can they do about it?

Enforcement: Russia• New Russian Law:

▫ Any data about Russians

must be stored in Russia ▫ An attempt at actual

enforcement? ▫ How does this compare

to the EU approach?

Enforcement:

• Who is the target of this decision?

• Does the EU’s concern with NSA information collection really have a connection to most US business?

• Is it just Facebook, Google, and Amazon?

Practical Steps: Options• Wait and see

• If you have them, maintain Safe Harbor practices

• Review active contracts

• Update contracts/policies to comply with EU Model

Policies and Rules

• Consider using EU-based providers without affiliates in the US

Questions?