Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now. Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR

It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.

Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.” Continue Reading Safe Harbor 2.0 – Is It Happening?

The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference: Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations

And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills. Continue Reading Access By US Authorities – The REAL Reason Safe Harbor is at Risk

Enforcement has long been a sticking point between the US and the EU. Some of this comes from the inherent clash of juridical cultures between the civil and common law traditions. And some of this just seems to be the EU expecting the bigger and better resourced US Government to pick up some of the slack. Unfortunately, governments on both sides of the Atlantic have limited resources. Realistically, this is the “sweet spot” for Trustmarks. They can provide a wider net of services to companies than the government can (whether because of jurisdictional or financial limitations).

8.         Following the certification or recertification of companies under the safe harbor, certain percentage of these companies should be subject to random investigations of effective compliance of their privacy policies.

Spot checking would be a new component to the safe harbor framework. However, this also seems to be a concern more oriented towards government resource allocation. Trustmark’s often do this type of spot checking based on the risk profile of the company which has been certified.

9.         Where there has been a finding of noncompliance, following a complaint or investigation, the company should be subject to follow specific investigation after one year.

While this recommendation sounds good in practice, it may not be necessary. In the event that a finding of noncompliance was due to a nonmaterial mistake, which generated little to no actual harm to the consumer, it is neither feasible nor reasonable to require follow-up investigation after a year as there is very likely nothing to find. This being said, follow-up investigations, or spot checking, are very appropriate for violations which are complex, or due to the interaction of multiple parties within the data flow. For example, were subcontractor has inadvertently disclose personal information due to the exploitation of the security vulnerability within their network infrastructure. Fortunately, this is not a difficult requirement implement so long as it is done so in a commercially reasonable way.

10.       In the case of doubts about a company’s compliance, or pending complaints, the Department of Commerce should inform the competent EU data protection authority.

Again, this will depend on the type of complaint. It is doubtful that the competent EU data protection Authority is going to be interested in every single instance of an unsubscribe request taking longer than 10 days. The report and memo both recognize that there are a number of consumer complaints which you not fall within the privacy ambit. Consequently, reporting to an EU authority should be managed in a way to most effectively leverage that authorities limited resources. We have already seen this in practice in the United States where Trustmark’s evaluate quality of complaint prior to forwarding on to the Federal Trade Commission.

11.       False claims of safe harbor adherence should continue to be investigated.

Obviously, this is not a recommendation for new activity. This is merely, as noted before, a desire to have additional government resources attached to this particular function. Consequently, the ease with which this recommendation may be implemented is contingent upon the budgetary constraints of particular administration.

The next set of recommendations seeks to improve how the individual can directly seek resolution to a potential violation of their privacy rights.

5.         The privacy policies on companies websites should include a link to the alternative dispute resolution (ADR) provider and/or EU panel.

Many companies who participate in the safe harbor framework already comply with this requirement. For example, any website which includes the TRUSTe certified privacy seal, also includes links to the TRUSTe dispute resolution services. This is a required component in order for that website to be certified to the TRUSTe program requirements. It should also be noted, that this is a requirement under the APEC CBPR system. Functionally, a Trustmark which certifies the practices of the company against a standard will need to have some means of resolving disputes that that standard is no longer being met. Not only is this good business, it is practically requirement to ensure that the Trustmark is effectively managing its trademark under US trademark law.

6.         ADR should be readily available and affordable.

While the two largest ADR providers in the United States charge fees, most of the Trustmark the United States (BBB, TRUSTe, etc.) Provide ADR services to the consumer for free. Needless to say, this recommendation is already in play where the participating company uses a Trustmark as it’s third-party validation service under FAQ 7.

7.         Department of Commerce should monitor more systematically ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up to get to complaints.

This recommendation seems to be one more oriented toward government resources and allocation of government funds than the safe harbor program in and of itself. While it would be beneficial for the US government allocate resources to the Department of Commerce to support safe harbor, this is not an intrinsic weakness of the framework itself. Case in point, many data protection authorities within Europe have limited resources to manage much smaller constituencies of business than the US Department of commerce.

Much has been written recently regarding the European commission’s latest report on the sufficiency of the US – EU safe harbor agreement. For the most part, the commentary seems to be focused on the impending doomof the Safe Harbor Framework. While there are a number of references to the “13 recommendations” to “save” safe harbor, further investigation into what those recommendations will actually require is limited. Consequently, the difficulty of implementing these “13 recommendations” really hasn’t been evaluated. While the lucky “13” may seem to be a lot, the more important question is: “how hard will it be to implement these recommendations?” Continue Reading US-EU Safe Harbor Agreement at Risk? The Sky Isn’t Falling Yet Chicken Little