EU - U.S. Privacy Shield and the GDPR: The new rules of engagement for transatlantic data transfers

Wednesday, March 30, 2016 - 12:11

Thomas Matzen of iDiscovery Solutions brings over 15 years of experience in e-discovery and project management for both domestic and international matters. Matzen has managed over 100 e-discovery engagements, including several high-profile and complex cases. His experience includes, but is not limited to, international data privacy, data collection, data preservation, advanced search technologies, data repository use and data production. His remarks have been edited for length and style.


MCC: What is the EU-U.S. Privacy Shield and how does it differ from the Safe Harbor Act, in both spirit and practical terms?


Matzen: The EU-U.S. Privacy Shield (Privacy Shield or Shield) came about as a result of the invalidation of Safe Harbor. It is a new framework for transatlantic data flows, requiring U.S. companies to do more to protect the personal data of EU citizens and additional monitoring and enforcement by the Department of Commerce and the FTC. It calls for clear conditions, limitations and oversight of data as opposed to general access. It will also be easier for Europeans to file complaints.

As the investigations and surveillance performed by the U.S. government came to light, people in the EU drew attention to the problem. When an EU court struck down Safe Harbor, which was a negotiated agreement between the U.S. and EU allowing data flows between the two, it eliminated the most popular way to transfer data from Europe to U.S. companies, and all that entails. The Privacy Shield has been negotiated between the Department of Commerce, the FTC and their counterparts at the EU over the last two months. It needed to move quickly, as a lot of companies felt vulnerable and uncertain what to do because the way they had been transferring data was deemed invalid. It’s not a done deal yet, but corporate representatives, employees and counsel should know that it seems likely to happen. It brings in some of the elements of Safe Harbor but sets a higher bar. It will require more strategic thinking and planning, and it will add costs for companies that implement it. It applies to all European citizen data coming to the U.S. 

The crux of the problem, as the Europeans see it, is that the U.S. lacks adequate standards on privacy to protect the data of EU citizens. That’s how we got here.


MCC: Is the concern about the security of the EU citizens’ data or the U.S. government monitoring of EU citizens?


Matzen: It’s the latter. In the Schrems decision, which invalidated Safe Harbor, the judge talked about the Snowden effect, highlighting that the surveillance done by the U.S. government was a major problem. A lot of EU data privacy officers thought Safe Harbor was flawed in its design anyway because it’s based on self-certification. They never liked it and didn’t trust it. There was a groundswell to get rid of it before the revelations of the U.S. government’s surveillance techniques. That just brought it to a boil. The Schrems case provided a vehicle to axe it. The public sentiment in the EU was that the U.S. government and its companies could not be trusted with protecting the privacy of EU citizens. There’s a whole industry in buying and selling data, and just the data mining aspect strikes fear in the hearts of all types of people in a lot of EU countries. 

Half of those Safe Harbor data transfers were HR-related and had nothing to do with litigation or data mining. It was just companies with employees in other countries, transferring HR data. Now those companies are wondering what to do. Hopefully, the shield will provide some relief. Corporations need to be aware that there’s a specific carve out for human resources in the shield. 


MCC: Our readers are primarily general counsel of multinational corporations. What are the most important aspects of the Privacy Shield that they should be aware of and what are the added costs you mentioned? 


Matzen: Every multinational corporation should have someone on their team researching and digesting the new General Data Protection Regulation (GDPR). The GDPR is separate from the Privacy Shield, but the Shield takes a lot of its principles from the GDPR. I’m hopeful that corporations have been studying up on the GDPR because it has recently been adopted, and the EU Council had given corporations a three-year transition period to achieve compliance.

After the transition period, the penalty for violation of the GDPR is up to 4 percent of gross revenue worldwide, which you can imagine should scare anybody who runs a corporation. Among other things, the GDPR requires that a data protection officer be named for each company. 

General counsel should consider putting a team together to address the GDPR standards and help ease the transition to the Privacy Shield principles. I would not recommend having one group working on Privacy Shield compliance and logistics and one working on GDPR. They overlap, and assuming a corporation’s been keeping up with the GDPR, the Privacy Shield shouldn’t scare them or raise too many additional hurdles.

Under the Shield, companies need to certify to the U.S. Department of Commerce that they are committed to the listed principles and guidelines. Similar to Safe Harbor, they will need to publicize their privacy policies. A little different than Safe Harbor, they will be required to explain to the Department of Commerce that they are not only committed, but also will have to disclose how they deal with data from EU citizens, including specifics as to the types of business they handle. It involves some research, but I don’t think the costs are going to be astronomical. The GDPR is a more expensive task. That is going to be a major shift in how they manage data.


MCC: To what extent will third-party vendors pose a risk to companies in their efforts to comply with the Privacy Shield and GDPR?


Matzen: This is where some of the new expenses will arise. Corporations have no shortage of vendors, including the law firms they hire. They will be responsible for going down the chain, checking the privacy and the data protection elements of vendors. Essentially, they will have to become a clearinghouse, vouching for all of the vendors that venture into their world of data, which could be thousands. That’s another element that corporations are going to have to address.


MCC: Within a company, who should be aware of the Privacy Shield and its restrictions, and who are the day-to-day players charged with maintaining compliance?


Matzen: This will depend on how the company is structured. Any company with employee or customer data in the EU will likely need a dedicated person to help manage and maintain the flow of data. Many have hired a dedicated data protection officer in the last two to three years, which is good. That’ll just continue to grow. I would say the Privacy Shield falls under their control, with however many lieutenants or resources they have underneath them. I wouldn’t say it’s purely an IT function, but I think of it as a team. They might have a dedicated Privacy Shield/GDPR team, especially to get it launched. A data map is not required, but companies do need to submit a document to the Department of Commerce, and they likely will need to update their privacy policy. Most current privacy policies are too general to gain acceptance. They will need to be more specific, especially on the recourse mechanisms the Privacy Shield requires.

I would assume the GC or CLO of the corporation would be involved. Any time you’re dealing with the Department of Commerce, the FTC, foreign entities, the Article 29 Working Group, you definitely want a lawyer or a team of lawyers involved, preferably an in-house group. I don’t think this is something you want to outsource. Some small companies won’t have a choice, but I would want to bring that position in-house if it is affordable.


MCC: Do you anticipate any changes to response and disclosure if there are breaches? 


Matzen: The Privacy Shield protects the European citizen. There’s a series of privacy principles that were in Safe Harbor that are being expanded for greater protection to these individuals. There is notice, choice, accountability on transfer, security, data integrity, purpose limitation and then access. The Shield requires companies to create an incident response plan if their data’s breached. Similar to Safe Harbor, you have to have a plan, and you have to disclose that plan, but it doesn’t tell you that your data breach’s response plan has to be in accordance with those principles. Corporations are going to have to build in a mechanism that allows the European citizen to essentially opt out of data collections, which is the choice element. 


Thomas MatzenDirector, International e-Discovery and Data Privacy at iDiscovery Solutions.