New Safe Harbor for EU-US Data Transfer
In October 2015, the European Union (EU) Court of Justice invalidated the Safe Harbor Framework Agreement that for a decade had defined the safe harbor to transfer personal data between the US and the EU. The Court validated Austrian privacy advocate Max Schrem’s complaint against Facebook that transfer of his personal data from an Irish subsidiary to servers in the US violated EU privacy principles.
In July 2016, the EU Commission and the US Department of Commerce agreed a new Privacy Shield, again defining a safe harbor to resume trans Atlantic transfer of personal data for payroll, human resources, health and marketing purposes. Like its predecessor, the new agreement contemplates qualification for the safe harbor of US based organizations subject to Department of Commerce, Federal Trade Commission or Department of Transportation regulation, through annual self-certification to the US Department of Commerce that transfer of personal data collected in the EU complies with Privacy Shield principles and terms.
The EU Court of Justice is likely to review the conformity of the Privacy Shield with personal data processing principles of EU law such as transparency, legitimate purpose, proportionality, data minimization, accuracy, storage limitation, and accountability, notably as set forth in the EU Data Protection Directive 95/46/EC. Indeed, Mr. Schrems has declared his interest in provoking such review. On April 2016, the US Supreme Court increased European concerns about US governmental collection of personal data, and hence the likelihood of review, by modifying Federal Rule of Criminal Procedure 41 to broaden the ability of federal judges to issue warrants remotely to search computers and to collect information even outside the judge’s territorial jurisdiction. This modification will take effect December 1, 2016 absent Congressional action. Notwithstanding the prospect of controversy, European privacy advocates note favorably the ability of Europeans to assert their privacy rights in the American courts, pursuant to the recent adoption of the US Judicial Redress Act.
Relevance to the UK post Brexit
Until any formal withdrawal of the UK (unlikely to occur for some years), EU law, including the Privacy Shield, applies. Post withdrawal, the UK Information Commissioner’s Office would likely seek to negotiate arrangements similar to the Privacy Shield.
What Should Companies Do?
Early self-certification consonant with the new EU-US Privacy Shield may mitigate risks of liability associated with complaints of Europeans, the consequences of which could extend to having to return or delete Europeans’ personal data and to pay damages, as well as injury to reputation.
Our team welcomes opportunities to discuss how we might assist to:
About Zuber Lawler & Del Duca LLP
Zuber Lawler & Del Duca represents clients throughout the world from offices in Los Angeles, New York and San Jose, including Fortune 500 companies, funds and government entities. The firm offers expert legal representation in corporate, finance, intellectual property, M&A, litigation, and regulatory matters; frequently with an international dimension focused on Asia, Europe or Latin America.
This update is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or of Zuber Lawler & Del Duca LLP (ZLD). Nothing in this update is to be considered as creating an attorney-client relationship between the reader and ZLD.