How will the new EU-US privacy shield fit with the upcoming General Data Protection Regulation?
Tracey Stretton and Lauren Grest look at the EU-US Privacy Shield and the consequences of the Schrems judgement for international data transfers and how it (or any successor) fits into the EU GDPR.
Tracey Stretton, legal consultant, Kroll Ontrack
The past four months have marked the start of new era in data protection, as we saw the dissolution of the Safe Harbour agreement, the emergence of the General Data Protection Regulation and now the newly-agreed EU-US Privacy Shield - whose final acceptance has been delayed. For corporate in-house counsel, law firms, IT professionals and legal technology providers, these new regulations and legal developments represent a major challenge in understanding the impact of these complex new rules.
What are the EU-US Privacy Shield and the GDPR?
In brief, the EU-US Privacy Shield is designed to be a new legal framework for transatlantic data flows replacing the Safe Harbour agreement. This new framework aims to protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.
The main points of the agreement are:
- Stronger obligations on companies in the US to protect the personal data of Europeans' and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission
- That access to personal data transferred under the new arrangement by public authorities on the US was scheduled to be subject to clear conditions, limitations and oversight, preventing generalised access
- Effective protection of EU citizens' rights with several redress possibilities
- An annual joint review mechanism1
(Note, subsequent to submission of this article, questions have been raised by the Article 29 Working Party regarding US bulk collection of data thus ratification has been delayed).
The General Data Protection Regulation is the successor to the General Data Protection Directive and aims to harmonise data protection regulation across the EU and simplify intra-EU working. Main points of interest are:
- Increased fines for breaches of the GDPR, up to 4 percent of the annual global turnover or Euro 20 million.
- A "Privacy by design" provision requires that data protection is designed into business services. Measures must be taken to protect data from the start of a client engagement.
- When relied on as a justification for handling data, consent must meet high standards. Explicit consent must be obtained for the collection and processing of data. Contracts with clients should include a section on consent.
- The GDPR aims to make businesses accountable for their data practices and introduces new responsibilities such as the need for data protection policies and impact assessments. On the data security front extremely detailed requirements have been introduced to impose on vendors acting as processors. Data breach notification within 72 hours has also been introduced.
- Multinational companies working across the EU will be required to appoint an independent Data Protection Officer. This will be a challenging role to fulfil given the breadth of knowledge required to manage by both IT systems and be familiar with the legal aspects of the GDPR.
- The GDPR applies across all member states of the EU and beyond Europe if personal data used by an organisation relates to goods and services being offered to individuals in the EU.
- "Right to erasure". Individuals have significantly reinforced rights including the rights of access to their data, rectification, erasure and can object to processing. Take steps to understand how you can comply with such requests.
- There are still restrictions on international data transfers. Processors and controllers may only transfer data outside the EU if they put in place appropriate safeguards and if individuals have enforceable rights and legal remedies. The GDPR has helpfully expanded the number of options available to legitimise transfers and these now include:
o Binding corporate rules
o Standard contractual clauses adopted by the Commission
o An approved code of conduct
o An approved certification mechanism
o Other contractual clauses authorised by a data protection authority
Some like contractual clauses have been tested over the years. Others are new and their value and effectiveness will take time to be assessed.
- Data will be prohibited from being transferred outside the EU without approval from a supervisory body2
Lauren Grest, legal researcher, Kroll Ontrack
How will they work together?
The first thing to note is the GDPR will not be introduced until approximately 2018 and the EU-US Privacy Shield is awaiting final approval from the Article 29 Working Party3, a group made of up data protection regulators from the EU's member states, and it has initially rejected the agreement as it stands. Even if the Article 29 Working Party eventually approves the agreement, it could still be nullified by the European Court of Justice.4
In other words, companies at present still need to rely on using alternative arrangements such as binding corporate rules, standard contractual clauses and best practices set out by the Article 29 Working Party for transatlantic data transfers.
Where these two sets of legal provisions will ultimately take us to and the possibility of harmony or conflict between them will be influenced by cultural differences to privacy in the EU and the USA, and the reasons behind the creation of the legislation in the first place. The GDPR came from the EU itself, based on a desire to protect its citizens and adapt to changes in technology that were not accounted for in the European Data Protection Directive. Although the end result (a harmonised ‘one-stop-shop' of data protection regulations throughout the EU) can help businesses, ultimately it was concern for the privacy of its citizens that was the catalyst for change.
In contrast, the EU-US Data Privacy Shield is an agreement made in the wake of a high profile court case5 that invalidated the Safe Harbour agreement and aims to rekindle digital business with a country with markedly different attitudes and priorities when it comes to privacy. For example in the USA, the right to erasure is much more limited and only seen in case law unlike in the GDPR, which proposes that any client has this right.
As a result, coming to a mutual agreement is difficult and the scope of the GDPR and the EU-US Shield agreement differs. Critics of the EU-US Privacy Shield are already expressing concerns about the notion of ‘self-certification', the objectivity of the proposed Ombudsman and 45 day window for notifying a citizen of data breaches.6
With this conflict and given the Privacy Shield as it stands today will be reviewed annually by the EU and US authorities it is likely that changes will be made, which has its pros and cons. On the one hand, any inadequacies can be corrected in a timely fashion but on the other, the potential for regular changes to the framework could make life difficult for data protection officers and for lawyers overseeing litigation and investigations.
What are the challenges that arise in international data transfers in litigation and investigations?
The current lack of clarity is difficult for law firms or corporations involved in cross-border litigation and investigation where the transfer of data is essential to avoid court sanctions or fines from regulators.
As we are operating in a connected, global world, these cases and investigations often span continents as well as countries and so collecting data in multiple jurisdictions and complying with local, EU and other law is challenging.
How can technology help in this challenging legal environment?
- In many cases, the safest way of operating in the post-Safe-Harbour, pre-GDPR world is to avoid transferring personal data altogether and thus bypass the need for complicated standard model clauses and binding corporate rules. Local data centres and mobile ediscovery technology enable companies to process, filter and analyse data in country and even onsite, negating the need for transferring data wholesale across borders to central data processing hubs. These technologies have become incredibly powerful over the years and can be used to process large volumes of data in a short timeframe. Personal references can be identified and removed from a data set before the data is transferred to or accessed in the US. By processing and searching across the data in Europe first a party can show that steps have been taken to limit the data transferred to that, which is strictly necessary to the case. This is in line with the Article 29 Working Party requirements that efforts should be made to restrict the transfer of personal data as much as possible and that only data, which is relevant to the issues being litigated should be transferred.
Predictive coding technology, a machine learning tool where a human reviewer trains the computer to find data relevant to a case, can also assist in ensuring compliance with the 'privacy by design' requirement by segregating and filtering out personally identifiable or sensitive data and reducing the risk over-collection.
Furthermore, should a company receive large numbers of ‘right to erasure' requests ediscovery platforms and predictive coding can ensure that relevant data is found quickly and deleted in a forensically-sound manner.
Until the Privacy Shield and GDPR are fully-confirmed and enacted, transferring data across the Atlantic is still a challenging and complex legal procedure. Furthermore, even when they are both in force, the legal frameworks are subject to change. However, as the EU, US Department of Justice and privacy campaigners battle it out in the courts, technology can provide neat and cost-effective solutions that allow data to be processed and reviewed during this time of uncertainty.
Contributed by Tracey Stretton, legal consultant and Lauren Grest, legal researcher, Kroll Ontrack
 Maximillian Schrems v. Data Protection Commissioner (Case C-362/14)