Data Transfers/Safe Harbor/Privacy Shield

Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.

Continue Reading

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

Continue Reading ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Even though Brexit will likely have the biggest impact on the financial sector, businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations will also be affected. In particular, should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data protection laws, transfers to data processors in the United Kingdom would have to be based on an adequacy decision of the European Commission, standard contractual clauses (model contracts) or binding corporate rules.

Read the full article here.

After intense negotiations, and after the official deadline had passed on Sunday, 31 January 2016, the United States and the European Union have finally agreed on a new set of rules—the “EU-U.S. Privacy Shield”—for data transfers across the Atlantic. The Privacy Shield replaces the old Safe Harbor agreement, which was struck down by the European Court of Justice (ECJ) in October 2015. Critics already comment that the Privacy Shield will share Safe Harbor’s fate and will be declared invalid by the ECJ; nevertheless, until such a decision exists, the Privacy Shield should give companies legal security when transferring data to the United States.

While a text of the new agreement is not yet published, European Commissioner Věra Jourvá stated that the Privacy Shield should be in place in the next few weeks. According to a press release from the European Commission, the new arrangement

…will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

One of the most known critics of the U.S. data processing practices and initiator of the ECJ Safe Harbor decision, Austrian Max Schrems, already reacted to the news. Schrems stated on social media that the ECJ Safe Harbor decision explicitly says that “generalized access to content of communications” by intelligence agencies violates the fundamental right to respect for privacy. Commissioner Jourová, referring to the Privacy Shield, stated that “generalized access … may happen in very rare cases”—which could be viewed as contradictory to the ECJ decision. Critics also argue that an informal commitment by the United States during negotiations with the European Union is not something on which European citizens could base lawsuits in the United States if their data is transferred or used illegally.

The European Commission will now prepare a draft text for the Privacy Shield, which still must be ratified by the Member States. The EU Parliament will also review the draft text. In the meantime, the United States will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsperson.

 

As we reported on October 19th, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data challenged the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program. Today, the European Commission (EC) issued a public statement confirming its commitment to working with the United States on a “renewed and sound framework for transatlantic transfers of personal data.” The apparent trigger for today’s announcement are “concerns” from businesses about “the possibilities for continued data transfers” while the Safe Harbor Sequel is under negotiation.

In its statement, the EC confirms that during the pendency of the U.S.-EU negotiations, Standard Contractual Clauses and Binding Corporate Rules (BCRs) are viable bases for legitimizing data transfers that formerly were validated by the Safe Harbor Program.

The EC was careful to note that today’s guidance “does not lay down any binding rules” and “is without prejudice to the powers and duty of the DPAs (Data Protection Authorities) to examine the lawfulness of such transfers in full independence.”  In other words, a DPA still may decide that Standard Contractual Clauses and BCRs are not viable under its country’s laws.

The Judicial Redress Act of 2015 (H.R. 1428) (Judicial Redress Act) is on its way to the U.S. Senate. On October 20th, the U.S. House of Representatives voted in favor of passage.

The Judicial Redress Act extends certain privacy rights under the Privacy Act of 1974 (Privacy Act) to citizens of the EU and other specified countries.

The preamble to the Judicial Redress Act states that:

The Judicial Redress Act provides citizens of covered foreign countries with the ability to bring suit in Federal district court for certain Privacy Act violations by the Federal Government related to the sharing of law enforcement information between the United States and a covered foreign government. Any such lawsuit is subject to the same terms and conditions that apply to U.S. citizens and lawful permanent residents who seek redress against the Federal Government under the Privacy Act. Under current law, only U.S. citizens and lawful permanent residents may bring claims against the Federal Government pursuant to the Privacy Act despite the fact that many countries provide U.S. citizens with the ability to seek redress in their courts when their privacy rights are violated. Enactment of this legislation is necessary in order to promote and maintain law enforcement cooperation and information sharing between foreign governments and the United States and to complete negotiations of the Data Protection and Privacy Agreement with the European Union.”

The House’s passage of the Judicial Redress Act is expected to help mitigate one of the key criticisms of U.S. privacy protection from EU regulators. As discussed in our blog posts from earlier this month, in the Court of Justice of the European Union (CJEU) decision invalidating the U.S.-EU Safe Harbor Program, the CJEU noted that EU residents lack an “administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”  Once passed by the Senate (as is generally expected), the Judicial Redress Act will provide that means of redress.

Check back for updates on the Senate’s consideration of the Judicial Redress Act and the ongoing EU-US negotiations about a Safe Harbor Sequel.

As we wrote on October 6, 2015, the Court of Justice of the European Union (CJEU) announced its invalidation of the U.S.-EU Safe Harbor program as a legally valid pathway for transferring personal data of European Union (EU) residents from the EU to the United States. An avalanche of reports, analyses and predictions followed the CJEU announcement because so many U.S. businesses operating in the EU relied on the validity of the Safe Harbor program.

As we expected, the CJEU decision was not the final chapter. On October 16, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the Working Party, an independent advisory board to data protection authorities in EU members states) called on the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program.

Echoing the CJEU’s concern about “massive and indiscriminate surveillance” by the U.S. government, the Working Party challenged the United States and EU to produce by 31 January 2016, a new data transfer framework with “stronger guarantees” of EU residents’ “fundamental rights” to data privacy, as well as “redress mechanisms” for violations.

In the meantime, the Working Party affirmed that data transfers formerly validated by the Safe Harbor program are not legal. It also noted its intent to evaluate the validity of the two other key data EU-U.S. transfer pathways: Binding Corporate Rules (BCRs) and Standard Contractual Clauses.

What This Means for U.S. Businesses

While waiting for news of Safe Harbor: The Sequel, our Privacy and Data Protection Group continues to advise a business that relied on the Safe Harbor program to:

  1. Classify the data transferred from the EU to the United States (employee, consumer, business contacts, etc.).
  2. Determine which of the data transfers from the EU to the United States were formerly validated by Safe Harbor.
  3. Identify vendors that transfer EU personal data for the business and determine how those vendors validate their transfers (e.g., Did a vendor represent that it could make legitimate transfers via Safe Harbor, and, if so, what happens now?).
  4. Decide how best to address EU to U.S. personal data transfers under one of the other data transfer pathways based on data classification (e.g., Binding Corporate Rules for intra-company transfers; Standard Contractual Clauses for transfers to third parties that do not otherwise meet EU requirements; or consent of each EU data subject—an impractical option for high-volume transfers).

Stay tuned for more on Safe Harbor: The Sequel and guidance for businesses.