Posted on: May 31, 2017in Blog
How Does the EU-US Privacy Shield Affect Cross-Border Discovery?
To improve is to change; To be perfect is to change often.
Up until recently, to think of the legal industry would not bring about thoughts of rapidly changing landscapes. The legal community is not what one would consider early adopters of anything. Lawyers by their very nature are risk adverse individuals, but in the last 10 years the legal landscape has seen more change than it has for hundreds of years previously. Electronic discovery and the associated services has gone from a burgeoning business to 15 billion. Alternative legal service providers like Legalzoom and Rocket Lawyer are changing the way the public at large can access legal information. In addition, the rapid globalization of commerce has made the instantaneous sharing of data possible, while at the same time bringing to light the fundamental differences in cultural expectations of privacy.
Preparing for a panel discussion on the fate of cross border transfers of data usually takes little more than sitting down for 30 minutes and getting thoughts in order. Preparing for a panel discussion regarding cross border discovery during the last year is an effort in legal research making sure nothing has changed overnight.
History of EU-US Privacy Shield
By now most of us are familiar with the Facebook user and law student, Max Schrems. Max and his legal team momentously, albeit briefly, stopped 500 years of transatlantic communication when the court invalidated Safe Harbor, the primary mechanism for the previous 15 years used to transfer data.
Although there always seemed to be grumblings of concern regarding Safe Harbor, the nail on the coffin that Schrems and his legal team relied on was the revelation by government contractor Edward Snowden of shear breadth of the US surveillance programs. Once it came to light the vast amounts of data being collected on citizens of the world with very little exception or control, it all but ensured that the United States could not commit to being able to give EU personal data “adequate” protection levels, which is a necessary component of Safe Harbor.
The 3 months following that decision left thousands of companies in limbo as individual EU countries gave conflicting advice on their level of immediate enforcement of data transfers. Clear guidelines were absent and the disparate approaches of individual nations were as varied as their languages; from calls for fines and immediate enforcement to leniency and commitments to stay enforcement procedures until suitable guidelines were in place, there was no consistency of direction
After months of wrangling, the EU and US on February 2nd 2016 finally announced that a framework had been reached called the EU-US Privacy Shield. The announcement contained a lack of specifics and not much more than the promise of addressing;
- the handling of Europeans’ PII Data,
- how the US Government access to data would be curtailed and
- how the rights of EU citizens would be protected under the agreement.
The announcement was little more than fanfare and an exercise in smoke and mirrors used to buy time. Almost a month would pass before additional clarity was given and the seven guiding principles of the EU-US Privacy Shield were released: notice, choice, security, data integrity and limitation, onward transfer, and recourse/enforcement.
Enforcing the Privacy Shield
Arguably the principle with the most teeth and greatest specificity circled around the recourse and enforcement, which is discussed at length and itself has 6 avenues for redress.
- Those wishing to operate under the Privacy Shield must allow citizens of the EU with complaints to address concerns with the offending entities.
- Companies must have an independent dispute resolution mechanism in the EU or the US to investigate and attempt to resolve complaints.
- Heavier weight will be given by the FTC (Federal Trade Commission) to complaints received from the dispute resolution groups appointed by the organizations.
- Cooperation by organizations is necessitated during any investigation of complaints by the local Data Protection Authorities.
- The Privacy Shield allows to a panel to address complaints not satisfactorily resolved by other means. A group of 20 arbitrators jointly selected by the DOC and the EU will find themselves assigned to binding arbitration and can impose “individual-specific, non-monetary equitable relief”. Each panel will consist of 1-3 arbitrators selected for the case from the pool of 20.
So it seems like we are finally good right? We have an airtight agreement that address all concerns?
Not quite yet. Two key elements worth mentioning are as follows;
First, a group by the name of Digital Rights Ireland filed a challenge to the Privacy Shield Adequacy decision. Secondly, we will have to wait until the yearlong “stay of execution” is up to see if Article 29 Working Party (an advisory body comprised of National DPS’s and representatives from EU member states) will formally challenge the Shield. The group has previously questioned the agreement since the first draft.
There is good news however; given that this agreement, unlike Safe Harbor, has an annual review period by which the DOC and the EU will take a practical look at whether the framework in place is providing the desired safeguards for European data. Additionally, an annual privacy summit with NGOs and stakeholders on developments in the area of the U.S. privacy law and its impact on Europeans will also occur. While the latter seems like a “check the box” process without a lot of teeth, it is a process none the less that will bring together the leaders and those that hold privacy in the highest regard to force the US to come further in line with EU standards.
One could venture that come June of this year when the first joint review takes place, there will be some changes to the Privacy Shield. But the framework allows for such changes without having to start from scratch, so rest assured it is unlikely that those processes and procedures you put in place to become compliant less than a year ago will be in vain.
So how does this affect cross-border discovery?
As I mentioned earlier, the European view on data privacy is very different than here in the US. Centuries of war, the atrocities of the Nazis, and the close proximity of independent nations have all weighed heavy on their views. Additionally, the European system of discovery is fundamentally very different as they operate for the most part under a civil law system while the US relies on common law.
These two facts combined make the US approach to discovery appear far reaching, over-broad and, woefully intrusive. Adding to an already complex discovery scenario, the addition of foreign entities causes the process to become unduly burdensome for US entities seeking to obey court ordered discovery for data residing overseas. In the US, with very few exceptions (unless you are part of a financial or telecommunications company which congress has passed laws to regulate), you are free to use the data collected as you see fit with little more than business considerations to keep in mind. The “how we use your data” section of contracts and corporate websites is much more a business concern than a legal one.
The EU on the other hand views PII as a human rights issue and has a complex system of rules and regulations that covers almost every aspect of the collection, control, and distribution of personal data. What is considered personal data is also very different, and goes far beyond merely names, birthdates, and the like. Generally personal data is considered almost ANYTHING that could be traced back to an individual no matter how unlikely. Also of note is that ‘processing’ of data is not what we would consider processing in the US relational to discovery, but rather any touching, formatting, changing, itemization is considered an act of processing.
Additional Ways to Transfer Data
Although not always easy there are ways to get the data to the US to review for litigation or investigation. First regarding processing of data the easiest way is if the data subject gives knowing, unambiguous consent.
The 3 other ways to transfer the data would be under the safety net or Privacy Shield, Model Contracts, or Binding Corporate Rules’, (BCR’s).
We’ve already discussed the Privacy Shield and its current limitations but let’s look at BCR’s and model contracts. Model Contracts create a binding pledge between data importer and exporter; that the importer will comply with EU laws and allow audits of its data handling. These contracts are non-negotiable form contracts and work well, except for between a single corporate entity, because let’s face it, although we may like to you cannot contract with yourself.
The least likely method a company would choose would be the BCR’s. These rules allow intracompany transfers all over the globe but require approval from each EU member state and requires considerable expense and often more than a year to put into place. The process is so arduous that less than 50 companies have this mechanism in place.
Each of the above has their benefits but none are without their respective challenges. The easiest way would be to contract with an organization that has in country data processing, hosting, and review capabilities so that way the transfers of private data could be minimized or excluded while reviewing data for US based litigation. Once the relevancy has been determined, a stronger case can be made that because these documents have been viewed by attorneys they are less likely to contain PII and therefore run afoul of data protection rules.
The US and Europe have been communicating and sharing data since before the United States were united; the American Revolution, neither world wars, nor Max Schrem was able to stop the data transfers for more than a heartbeat as the free flow of information is too important in a global business environment. Just as virtually no data protection authorities made any movements during the time period between the demise of Safe Harbor and the rise of Privacy Shield, regardless of their warnings, it is unlikely as changes are made to the new framework that they would do so now. Perfection during these changing times is unlikely, but documented and relied upon procedures should keep companies safe from the most egregious infractions. The only constant we should come to expect regarding EU-US data transfer is change.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted June 21, 2017
Control Litigation Costs by Making the Most of Your Internal Capabilities
Posted June 15, 2017
Shanghai OSAC Quarterly Meeting
Posted June 15, 2017
5 Ways to Reduce eDiscovery Costs Before and During Litigation
Posted June 07, 2017
Defensible Deletion Strategy: Getting Rid of Your Unnecessary Data
Posted May 31, 2017
How Does the EU-US Privacy Shield Affect Cross-Border Discovery?
Posted May 24, 2017
Unique eDiscovery Challenges with Mobile Device Data and How to Solve Them
Posted May 17, 2017
How to Comply with 21 CFR and HIPAA Data Retention Requirements
Posted May 11, 2017
4 Key Advantages of Conducting Remote Depositions
Posted May 03, 2017
eDiscovery in International Dispute Resolution: What Experts Want You to Know
Posted April 27, 2017
China Expands Data Transfer Requirements for its Cybersecurity Law