Navigating EU Data Compliance in a Sea of Uncertainty: As alternatives to Safe Harbor and the Privacy Shield are debated, companies should focus on GDPR compliance

Monday, July 11, 2016 - 16:22

Thomas Matzen of iDiscovery Solutions brings over 15 years of experience in eDiscovery and project management for both domestic and international matters. Matzen has managed over 100 eDiscovery engagements, including several high-profile and complex cases. His experience includes international data privacy, data collection, data preservation, advanced search technologies, data repository use and data production. His remarks have been edited for length and style.

MCC: When we last spoke, we were waiting on validation of the Privacy Shield, which obviously didn't happen. How did all of that shake out?

Matzen: Earlier this year, the Article 29 working group in Europe reviewed the proposal from the EU and U.S. representatives and gave an advisory opinion stating that the Privacy Shield was not adequate. Their argument was that, as proposed, it did not address all of their concerns. From there, they issued a non-binding opinion essentially stating that substantial changes would be needed to gain approval.

Now, in May of this year, the Article 31 working group, which is a different working group, involved in working these things through in Europe, also is stating that it is not adequate. They don't support it, and more work needs to be done. We’ll see what that means. There have been two authorities jumping in on the European side that have basically eliminated the Privacy Shield as it was written.

Will it go back to negotiations and more discussion? Probably, but there is still a major hurdle: U.S. surveillance of data of European citizens. That's where we are now. You have the Article 29 and Article 31 working groups basically saying no. While those aren't legislative votes, they carry a lot of weight. One should assume it's not going to move forward as is, and companies definitely should not rely upon it as is.

MCC: What are the major changes that you mentioned earlier?

Matzen: From the U.S. perspective, it’s been a flurry of activity over the last few months. Let's go back to last fall when Safe Harbor, which was a means of transferring data from the EU to the U.S., was invalidated in light of the Schrems case. That's what led us down the path of trying to develop the Privacy Shield. While discussions on the Privacy Shield were going on between the Article 29 and Article 31 groups, the U.S. Supreme Court in April expanded Rule 41 of the Federal Rules of Criminal Procedure. That gave broader discretion to the FBI to get warrants on computers outside of the U.S. and to, essentially, hack those computers.

Also, we’ve changed the way we transfer data inter-company or intra-company. It used to be Safe Harbor, and people were hoping it would be the Privacy Shield, but during this period of turmoil even Facebook went to “model contracts”, Model Contracts are another vehicle to transfer data out of the EU where the company is vouching for the adequacy of their data privacy protection standards.  Unfortunately, in the last few weeks, this vehicle is also being called into question by the EU.

The primary argument is the same: U.S. surveillance systems and activities violate the fundamental privacy rights of European citizens. It's hard to believe the Privacy Shield won’t suffer the same fate as Safe Harbor. If that happens, and we should know in the next two to three months, you would have Safe Harbor gone, the Privacy Shield not in place, and model contracts invalidated. That leaves you with binding corporate rules, which is yet another method, but who's to say that's not going to be challenged? I want to make people aware that the ways that you can transfer data lawfully from Europe back to the U.S., whether it's in litigation or even within your own company, are being knocked out one at a time and the U.S. government's actions are going to make it harder for it to be remedied. 

There is discussion about a quasi-governmental third party – they're calling it “privacy seals” – where an entity goes through some paperwork, an interview process and these entities provide a seal of approval of your adequacy and then they investigate your upstream and downstream web commerce activities to make sure everybody's on board. They're charging for it. For one company it's about $10,000 U.S. dollars, and you get a two-year seal. There will probably be an icon on your web page saying that you meet these standards and the web commerce data can move.

Some European commentators and data protection officials like the idea of taking this self-certification piece out. They say companies are just vouching for themselves. The seal element may answer some questions in certain areas, but it doesn't eliminate the surveillance fear directly. It'll be interesting to follow how this seal idea works.

MCC: What are companies doing to stay compliant? Have they just stopped transferring the data until they can figure out what to do? Has there been a grace period?

Matzen: If you follow the General Data Protection Regulations (GDPR), you should be in good shape regardless of what occurs down the road. People are trying to predict what's going to happen next. They know the answer's not going to be companies just going out of business because they can't move data. There's got to be a workaround. That could be having more European-based operations and doing more things in the country where the data is located, which isn't a cheap solution, but it’s definitely something companies are leaning towards.

Companies preparing for GDPR compliance must have a Data Protection Officer (DPO), so a lot of that hiring is going on. Those people are being asked to follow these data transfers, which is good. It gets a specialist involved who understands these things instead of an in-house attorney or even an outside firm.

MCC: Tell us a bit more about the GDPR and how the penalties and other aspects will work.

Matzen: It will have strong penalties of 2 percent to 4 percent of global revenue if you're found in violation. Is that for first-time offenders? Is that for serial offenders? How's the enforcement going to work? Those are unknown at this time. But that's a number that would alter the course of a company.

The GDPR is more than just a transfer vehicle. It's taken five years of work to get it to where it is today, and maybe that’s a good thing given all the juggling with the Privacy Shield, model contracts, and Safe Harbor. The GDPR is not going anywhere and it's not going to be substantially amended. It's a different vehicle altogether. The two-year grace period has started. If companies aren't already putting plans in place internally, there are lots of private companies offering checklists, consulting, investigations and generally trying to help people comply with GDPR. The main point is that all these discussions of model contracts and Safe Harbor and Privacy Shield will not affect the GDPR.

MCC: Do you think that's where companies should be focusing instead of on workarounds?

Matzen: Six months ago, I would have argued there's a long-term goal and a short-term goal. Now that we're getting closer, yes, the focus should be on understanding and complying with the GDPR. That does not eliminate the need to move data within your company across borders, or for litigation purposes in the U.S.  You need to become compliant with all sections of the GDPR. That's a good goal. Companies should have their DPO working with technical folks and C-suite executives to achieve compliance. While they're doing that, they'll be checking the boxes of whatever transfer agreement ends up coming into place. It might take a company a year, two years, depending on their size, to get compliant and understand and digest the GDPR.

MCC: What will BREXIT mean to EU data transfer or the GDPR?

Matzen: In terms of fires created by BREXIT, the issue of data transfer is not high on the list of importance in my opinion.  Once the divorce is finalized, Britain will become similar to the United States, as in it has to prove it meets the adequacy standard of the EU.  Being that Britain shared the EU's standard before, I would assume they would meet the standard now and simply require some new documentation confirming such standards.  As for the GDPR, I see no changes or delays in light of BREXIT for any UK company operating in other EU countries.  I could foresee Britain signing onto the GDPR as an independent, non- EU state, however.  The fact that companies in Britain are so intertwined with the EU, I don't see BREXIT as a realistic way for EU companies to get out of the GDPR requirements.

Thomas Matzen is director of international eDiscovery and data privacy at iDiscovery Solutions. He can be reached at