The eDiscovery Resource Center™ is Bloomberg BNA’s comprehensive research solution for litigators and in-house counsel who require authoritative guidance on the handling,...
Oct. 25 — There is no question that the more stringent requirements of the new EU/US Data Privacy Shield and the General Data Protection Regulation will keep cross-border data transferers up at night.
For openers, the new laws regulating the transfer of personal data come with hefty penalties and shortened notification time frames. And at least one noted jurist has suggested that challenges to the new regulatory regime may keep it in a state of flux for the foreseeable future.
Personal data protection is, essentially, a fundamental human right outside of the United States, James Daley of Seyfarth Shaw LLP in Chicago, said Oct. 19. A safe harbor framework to govern the transfer of personal data was developed around 2000 and remained the law until 2015. It allowed U.S. companies to transfer EU citizens’ data to the U.S. if the companies satisfactorily demonstrated to the U.S. Department of Commerce their compliance with privacy principles.
In 2015, thousands of U.S. companies were left in a cross-border data transfer void when the European Union’s top court invalidated the U.S.-EU Safe Harbor Program in Schrems v. Data Protection Commisioner, 10/6/15 . 16 DDEE 331, 7/21/16 .
In February 2016, the European Commission filled that void by publishing the EU-U.S. Privacy Shield. The new cross-border data transfer regulation went into effect in August.
The new requirements are stricter than those of the Safe Harbor. The Privacy Shield includes more detailed notice requirements. Companies must include a list of disclosures in the privacy shield agreement and the notice must include a list of entities and subsidiaries also covered by the Privacy Shield.
In addition, the companies must make a commitment to the Privacy Shield for all personal information received from the EU, they must identify the independent dispute resolution body that would manage any arbitration related to data transfer, and describe any liability in transferring data to third parties.
The changes implicate everyone in the “supply chain” of a company involved in data transfers, including vendors, data centers and third-parties, and the penalties are high under the new regime.
“The maximum penalties under the General Data Protection Act amount to 10 million Euros per occurrence or four percent of your gross annual turnover, whichever is greater,” Daley said.
The second main provision of the GDPR that “could keep you up at night” is the 72-hour breach notification requirement.
“Diagnosing how a breach happened and what happened will be hard in that time frame,” Daley said.
“If you have one server, a 72-hour notification period is adequate,” Nikos Leoutsarakos of Zeropasswords Inc. said. “If you have 40,000 servers in four continents, it’s not enough.”
Protection can’t be an afterthought, Leoutsarakos said.
The new regime also mandates that privacy controls be “baked into your systems.”
The new regulations discuss data protection by design and by default. By default implies that protection in your organization is assumed.
“Ignorance of these regulations isn’t an excuse,” Leoutsarakos said. “In addition, simply using or referring to the state-of-the-art isn’t an excuse either.”
“By design” means that data should be protected in all of its states, i.e., “When it’s sitting around on tapes, when it’s in transit and when data is being processed,” Leoutsarakos said.
As for legal and regulatory demands, Daley advised corporations and entities to take special care to look at their data transfer and processing contracts between data controllers and vendors.
“Once the data gets to the U.S., are you going to send it to an eDiscovery vendor, an expert witness, opposing counsel? You are going to have to show the chain of custody of data protection once it gets to the U.S.,” Daley said.
Leoutsarakos emphasized that the Privacy Shield and the GDPR only refer to personal data.
“But there’s a hidden agenda by the lawmakers,” he said ."If you go through all this trouble to protect the personal data, then you will probably use the same systems for the non-personal data.”
The discussion on the changes to the law and how to comply with the upcoming regulations took place at The Masters Conference in Washington, D.C.
Judge Andrew Peck, magistrate judge from the Southern District of New York, told Bloomberg BNA via e-mail October 24 that there is a widespread expectation that Schrems, the individual who successfully challenged the U.S.-EU Safe Harbor Program, will lodge a similar challenge to the Privacy Shield. Accordingly, data custodians, controllers and processors should not expect the legal uncertainty that has characterized cross-border transfers since 2015 to be resolved any time soon.
To contact the reporter on this story: Tera Brostoff in Washington at email@example.com
To contact the editor responsible for this story: Carol Eoannou at firstname.lastname@example.org
The Privacy Shield text is at https://www.privacyshield.gov/welcome.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)