Data Transfers/Safe Harbor/Privacy Shield

Join McDermott next Wednesday for a live webinar on the unique considerations in developing and procuring AI solutions for digital health applications from the perspective of various stakeholders. We will discuss the legal issues and strategies surrounding:

  • Research and data mapping essential to the development and validation of AI technologies
  • Protecting and maintaining intellectual property rights in AI solutions
  • Technology development
  • Risk management and mitigation for various contractual arrangements, including contracts with customers, vendors and users

We will also focus on the trends in US law for AI solutions in the digital health space, and present actionable advice that will help you develop an effective strategy for developing and procuring AI solutions for digital health applications.

Developing and Procuring Digital Health AI Solutions: Advice for Developers, Purchasers and Vendors
Wednesday, June 13, 2018 | 11:00 am CT | 12:00 pm ET
Register Here

 

As Europe’s General Data Protection Regulation (GDPR) takes effect, companies around the world are racing to implement compliance measures. In parallel with the GDPR’s development, China’s new data protection framework has emerged over the past year and is in the final stages of implementing the remaining details. With similar and often overlapping obligations, full compliance with the GDPR and China’s data protection framework presents a significant new challenge for companies with operations in China.

Does the GDPR Apply to Companies in China?

The GDPR applies to the processing of personal data of people who are in the European Union, even for a controller or processor in China, where the processing of the data is related to:

  • The offering of goods or services to the data subjects in the European Union, regardless of whether a payment is required; or
  • The monitoring of people’s behavior in the European Union.

As a result, even if a Chinese company does not have any formal establishments in the European Union, the GDPR will nonetheless apply if it is conducting either of these two types of activities.

What Are the Requirements for Companies in China Subject to the GDPR?

The GDPR primarily focuses on two categories of entities: “controllers” and “processors.” These two types are similar to concepts in the Chinese rules.  “Controllers” are entities that, alone or jointly with others, determine the purposes and means of the processing of personal data. “Processors” are entities that carry out the processing of personal data on behalf of the controllers.

Key requirements for most controllers under the GDPR: Continue Reading The GDPR’s Effects in China: Comparison with Local Rules and Considerations for Implementation

Last week, the US Court of Appeals for the DC Circuit issued a long-awaited decision on an omnibus challenge to the FCC’s interpretation of the TCPA. While the decision provides some relief for businesses, it does not eliminate the prospect of TCPA liability and leaves important TCPA interpretive questions unresolved. Businesses should continue to be vigilant regarding consent and opt-out procedures when sending automated text messages and automated or pre-recorded calls to consumers. Continue Reading

Throughout 2017, the health care and life sciences industries experienced a widespread proliferation of digital health innovation that presents challenges to traditional notions of health care delivery and payment as well as product research, development and commercialization for both long-standing and new stakeholders. At the same time, lawmakers and regulators made meaningful progress toward modernizing the existing legal framework in a way that will both adequately protect patients and consumers and support and encourage continued innovation, but their efforts have not kept pace with what has become the light speed of innovation. As a result, some obstacles, misalignment and ambiguity remain.

We are pleased to bring you this review of key developments that shaped digital health in 2017, along with planning considerations and predictions for the digital health frontier in the year ahead.

Read the full Special Report.

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.

Continue Reading

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

Continue Reading ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Even though Brexit will likely have the biggest impact on the financial sector, businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations will also be affected. In particular, should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data protection laws, transfers to data processors in the United Kingdom would have to be based on an adequacy decision of the European Commission, standard contractual clauses (model contracts) or binding corporate rules.

Read the full article here.

After intense negotiations, and after the official deadline had passed on Sunday, 31 January 2016, the United States and the European Union have finally agreed on a new set of rules—the “EU-U.S. Privacy Shield”—for data transfers across the Atlantic. The Privacy Shield replaces the old Safe Harbor agreement, which was struck down by the European Court of Justice (ECJ) in October 2015. Critics already comment that the Privacy Shield will share Safe Harbor’s fate and will be declared invalid by the ECJ; nevertheless, until such a decision exists, the Privacy Shield should give companies legal security when transferring data to the United States.

While a text of the new agreement is not yet published, European Commissioner Věra Jourvá stated that the Privacy Shield should be in place in the next few weeks. According to a press release from the European Commission, the new arrangement

…will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. The new arrangement includes commitments by the U.S. that possibilities under U.S. law for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access. Europeans will have the possibility to raise any enquiry or complaint in this context with a dedicated new Ombudsperson.

One of the most known critics of the U.S. data processing practices and initiator of the ECJ Safe Harbor decision, Austrian Max Schrems, already reacted to the news. Schrems stated on social media that the ECJ Safe Harbor decision explicitly says that “generalized access to content of communications” by intelligence agencies violates the fundamental right to respect for privacy. Commissioner Jourová, referring to the Privacy Shield, stated that “generalized access … may happen in very rare cases”—which could be viewed as contradictory to the ECJ decision. Critics also argue that an informal commitment by the United States during negotiations with the European Union is not something on which European citizens could base lawsuits in the United States if their data is transferred or used illegally.

The European Commission will now prepare a draft text for the Privacy Shield, which still must be ratified by the Member States. The EU Parliament will also review the draft text. In the meantime, the United States will make the necessary preparations to put in place the new framework, monitoring mechanisms and new ombudsperson.

 

As we reported on October 19th, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data challenged the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program. Today, the European Commission (EC) issued a public statement confirming its commitment to working with the United States on a “renewed and sound framework for transatlantic transfers of personal data.” The apparent trigger for today’s announcement are “concerns” from businesses about “the possibilities for continued data transfers” while the Safe Harbor Sequel is under negotiation.

In its statement, the EC confirms that during the pendency of the U.S.-EU negotiations, Standard Contractual Clauses and Binding Corporate Rules (BCRs) are viable bases for legitimizing data transfers that formerly were validated by the Safe Harbor Program.

The EC was careful to note that today’s guidance “does not lay down any binding rules” and “is without prejudice to the powers and duty of the DPAs (Data Protection Authorities) to examine the lawfulness of such transfers in full independence.”  In other words, a DPA still may decide that Standard Contractual Clauses and BCRs are not viable under its country’s laws.