0
Chicago Grand Central Looking Up

DOJ Issues Final Rule on US Bulk Sensitive Data

Data Brokers, Data Transfers, United States , , , ,
The International Emergency Economic Powers Act (IEEPA) vests the President with authority to deal with extraordinary threats to national security and foreign policy that have their source in part or in whole outside of the United States. Acting pursuant to the IEEPA, President Biden issued Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data By Countries of Concern” (the EO). The EO directed the Department of Justice (DOJ or Department) to establish and implement regulations addressing threats from certain countries of concern attempting to access and exploit bulk amounts of US sensitive data, including personal and government data. On December 27, 2024, the DOJ issued the Final Rule, which went into effect on April 8, 2025. Additional compliance provisions for certain transactions take effect on October 6, 2025. The Final Rule prohibits or restricts a range of transactions involving categories of bulk sensitive personal data or government-related data between the US and countries of concern or covered persons. In assisting businesses to adapt to this comprehensive update, the DOJ provided a Fact Sheet, a Compliance Guide, and over 100 FAQs on the Final Rule, along with an Implementation and Enforcement Policy. Below are five main takeaways that US entities may want to consider in light of these regulations.
  1. Enforcement May Be More Lenient Until July 8, 2025 
The DOJ’s Implementation and Enforcement Policy, states that the Department will “target its enforcement efforts during the first 90 days to allow US persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the [Final Rule].” The Department’s civil enforcement actions for violations of the Final Rule will not be a priority “so long as the person is engaging in good faith efforts to comply with or come into compliance with the [Final Rule] during that time.” However, the Department makes clear that it will “pursue penalties and other enforcement actions as appropriate for egregious, willful violations” during the delayed enforcement period.
  1. DOJ Will Consider Good Faith Efforts to Comply
While the Implementation and Enforcement Policy reflects that civil actions for violations of the Final Rule will not be a priority, this depends on the entity’s good faith effort to comply. According to this Policy, examples of evidence of good faith efforts may include, but are not limited to:
  • Conducting internal reviews of access to sensitive data.
  • Conducting internal reviews to determine whether transactions involving access to such data flows constitute data brokerage.
  • Reviewing internal datasets and datatypes to determine if they are subject to the Final Rule.
  • Conducting due diligence on potential new vendors.
  • Renegotiating vendor agreements or negotiating contracts with or transferring products or services to new vendors.
  • Adjusting employee work locations, roles or responsibilities.
  • Evaluating investments from countries of concern or covered persons.
  • Implementing the CISA Security Requirements.
  1. “Good Faith” May Include Satisfying CISA Security Requirements 
A good-faith effort to comply may be demonstrated, in part, by implementing the CISA Security Requirements, which were developed concurrently with the Final Rule pursuant to the EO. The security requirements are intended to address threats that arise when conducting restricted transactions, as detailed below. These security requirements are divided into two sections: i) organizational- and covered system-level requirements; and ii) data-level requirements.
  1. Before October 6, 2025, Determine if Your Company is Conducting Restricted Transactions
US entities engaged in restricted transactions under the Final Rule have affirmative data compliance program and audit obligations, among other obligations. In addition, the Final Rule provides that data brokerage transactions are prohibited with any foreign entity unless the US person contractually binds the foreign entity from subsequent transactions of that data with a country of concern or covered person. They must also report any known or suspected violation of this requirement.
  1. An Iterative Review Plan May be Needed for Covered Transactions 
With the Final Rule coming into effect and enforcement nearing, US companies that engage in certain data transactions or share information with third parties that may be covered persons or countries of concern should evaluate their transactions and data practices. After a thorough review of the types of information collected, who that information is shared with, and who is involved in the processing of that data, it may be helpful to adopt a compliance policy to ensure transactions are being handled appropriately in light of the Final Rule.
0
Photo of Uber sign on the windshield of a car.

Uber Fined $324 Million for Data Transfer Violations

Data Transfers, GDPR, United States , , ,

What Happened?

On Monday, the Dutch Data Protection Authority (DPA) found that Uber will be fined over $324 million for violating a European Union data privacy law.[1] The Dutch DPA stated that Uber transferred personal data about its drivers to the United States without appropriate safeguards, violating the GDPR.[2] According to the decision, transfer tools to protect this data were not used during the two years that Uber sent personal data from the EU to its US headquarters.[3]

 

Uber is expected to appeal the ruling, and Michael Valvo, an Uber spokesperson, stated that the “flawed decision and extraordinary fine are completely unjustified.”[4] In 2018, the Dutch DPA fined Uber $1.2 million for failing to report a data breach in a timely manner.[5] Earlier this year, the Dutch DPA fined Uber $11 million for infringement of privacy regulations, also concerning the personal data of drivers working for Uber.[6]

 

What Can We Learn?

Uber’s fine is among one of the largest penalties issued under the GDPR, highlighting the strict enforcement and requirements of data protection law within the EU.[7] The chairman of the Dutch DPA, Aleid Wolfsen, stated that, “the GDPR protects people’s fundamental rights by requiring companies and governments to handle personal data with care” and that Uber’s violations were “very serious.”[8]

 

Enacted in 2016, the GDPR sets forth rigorous standards for transferring and managing personal data. Significant financial penalties have been issued to multiple technology companies, including Meta’s $1.3 billion fine in 2023 for similar violations.[9]

 

The Dutch DPA alleges that Uber failed to implement adequate protections as they were not part of the Data Privacy Framework.[10] Additionally, the Dutch DPA alleged that in August of 2021, the company stopped their use of Standard Contractual Clauses (SCCs).[11] Either of these methods may have resulted in Uber avoiding regulatory scrutiny.

 

Understanding the Data Privacy Framework

There are specific rules that apply to data transfers from the EU to the US.[12] Some businesses in the US are members of the Data Privacy Framework, a set of agreements about safe personal data transfers to the US.[13] If the organization belongs to the Data Privacy Framework, they are treated as having an equivalent level of data protection to the EU.[14] This means that those businesses can transfer EU personal data to businesses consistent with EU law and without additional transfer tools.[15] However, if the business is not part of the Data Privacy Framework, the company will have to take additional protective steps when transferring data.[16]

 

Understanding Standard Contractual Clauses

If the US-based business or entity does not participate in the Data Privacy Framework and does not fall within Article 49 derogations or another exception to data transfer requirements, then two additional requirements should be met to transfer personal data outside of the EU: 1) a transfer tool, and 2) additional measures to protect data must be taken as needed. Article 46 of the GDPR provides a list of transferring tools which provide “appropriate safeguards,” including Standard Contractual Clauses (SCCs).[17]

 

SCCs are model contracts approved by the European Commission which allow controllers and processors to comply with requirements of EU data protection law.[18] SCCs have highly specific data protection safeguards, so when they are used between companies, there is a contractual obligation that personal data will be treated with a high level of protection when transferred outside the EU.[19] Because these contracts are standardized, SCC’s are a “ready-made” tool, which are relatively easy to implement.[20]

 

The investigation into Uber arose after the Schrems II ruling, which invalidated the EU-US Privacy Shield due to insufficient data protection standards in the US.[21]  Despite this ruling, Uber continued transferring personal data of their drivers from the EU to the US without implementing SCCs or other safeguards, based on the argument that Chapter V of the GDPR, which covers transfers of personal data to other countries, did not apply.[22] Uber stated that their actions were exempted under Article 3(2), which defines the territorial scope of processing activities.[23] While Uber maintains that its data protecting policies and processes, found in its privacy notice, are sufficient, this investigation and initial ruling demonstrate the heightened scrutiny that US companies face when operating in the EU.

 

Update from 9/13/2024

The European Commission has launched public consultation on the new EU SCCs. This consultation is for clauses in specific cases where a data importer is located in a third country but is directly subject to the GDPR. Adoption of these guidelines is expected in Q2 of 2025.

 

[1] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[2] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[3] https://www.jurist.org/news/2024/08/netherlands-data-protection-authority-fines-uber-e290m-for-violating-eu-data-regulation/

[4] https://www.nytimes.com/2024/08/26/business/uber-netherlands-fine-driver-data.html

[5] https://www.ciodive.com/news/uber-hit-with-12m-in-fines-for-2016-data-breach/543017/

[6] https://www.reuters.com/technology/cybersecurity/dutch-privacy-watchdog-fines-uber-sending-drivers-data-us-2024-08-26/

[7] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[8] https://complexdiscovery.com/uber-faces-e290-million-fine-for-gdpr-violation-in-data-transfer-to-us/

[9] https://www.metaverse.law/2023/05/22/meta-fined-for-data-transfer-violations/

[10] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[11] https://www.autoriteitpersoonsgegevens.nl/en/current/dutch-dpa-imposes-a-fine-of-290-million-euro-on-uber-because-of-transfers-of-drivers-data-to-the-us

[12] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[13] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[14] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

[15] https://www.dataprivacyframework.gov/Program-Overview

[16] https://www.autoriteitpersoonsgegevens.nl/en/themes/international/transfer-within-and-outside-the-eea/personal-data-transfers-to-the-us

[17] https://www.edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf

[18] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[19] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[20] https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en

[21] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/

[22] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

[23] https://www.linkedin.com/posts/protectionofdata_uber-decision-dutch-dpa-activity-7234087611676463106-PWNz?utm_source=share&utm_medium=member_desktop

0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

Meta fined US $1.3 billion for data transfer violations

Data Transfers, EEA & UK, GDPR, United States
The decade-long case on Meta’s transfer of EU personal data to the United States ended on May 22, 2023, with a € 1.2 billion (US $1.3 billion) GDPR fine against Meta.[1] In addition, the Irish Data Protection Commission (DPC) exercised the following corrective powers against Meta:
  • An order, pursuant to Article 58(2)(j) of the GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within five months.
  • An order, pursuant to Article 58(2)(d) of the GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EEA users transferred in violation of the GDPR, within six months.[2]
The fine and corrective orders came after the Irish DPC found that Meta violated the GDPR by failing to protect EU Facebook users’ data from US surveillance practices and spy agencies. “We are happy to see this decision after ten years of litigation,” said the Austrian privacy activist Max Schrems.[3] “The fine could have been much higher, given that the maximum fine is more than 4 billion and Meta has knowingly broken the law to make a profit for ten years. Unless US surveillance laws get fixed, Meta will have to fundamentally restructure its systems.” The US Surveillance Problem In its decision, the Irish DPC recognized that US intelligence authorities have seemingly unrestricted access to EU data flowing into the US, including data from Meta’s data transfers. This access is based on Section 702 FISA and on Executive Order 12333.[4] Section 702 FISA permits, following FISC approval, the surveillance of individuals who are not US citizens located outside of the US to obtain “foreign intelligence information.” Executive Order 12333 allows the NSA to access data “in transit” to the US, by accessing underwater cables on the Atlantic floor. When Meta transferred EU personal information to the US for processing, Section 702 FISA and Executive Order 12333 allowed US intelligence authorities to access that data for broad surveillance activities. This access threatens the fundamental rights and freedoms of EU data subjects. To protect EU data subjects from this threat, Meta relied on the Standard Contractual Clauses (SCCs) to provide a level of protection to EU data subjects that is essentially equivalent to that provided by EU law.[5] However, as this decision demonstrates, the SCCs fail to provide Meta’s EU users with an equivalent level of protection as provided by EU law. The SCCs & the Ongoing EU-US Data Transfer Issues The Irish DPC’s decision continues the decade-long struggle for the EU and US to establish a valid data transfer mechanism. In 2000, the US and EU developed the International Safe Harbor Privacy Principles to prevent private organizations within either country from accidentally losing or disclosing personal information. The European Commission decided that these principles complied with the EU Data Protection Directive, thereby allowing the flow of data between countries. However, the European Court of Justice declared in October 2015 that the Safe Harbor decision was invalid. Subsequently, in 2016, the US and EU developed the EU-US Privacy Shield, a legal framework for regulating and enabling transatlantic exchanges of personal data between the countries. Yet, as with Safe Harbor, the European Court of Justice declared Privacy Shield invalid in July 2020. This left companies to rely on contractual mechanisms, known as the SCCs, to transfer data between the countries without violating the GDPR. However, as the Irish DPC decision demonstrates, even though Meta relied on the SCCs, the SCCs failed to provide the protection necessary to ensure the transfer protected EU data subjects in accordance with the GDPR. Leaders within the US and EU announced in 2022 that a new data transfer framework called the Trans-Atlantic Data Privacy Framework (TADPF) had been agreed upon, but it is uncertain whether this framework will survive scrutiny from the European Court of Justice. The TADPF attempts to address the US surveillance problem by, in part, restricting access to EU personal information by US intelligence agencies to that which is “necessary and proportionate to protect national security.”[6] However, prominent privacy activists have expressed skepticism over how US surveillance can be “necessary and proportionate” under EU law.[7] In the meantime, without an international data transfer framework and with the sufficiency of the SCCs in question, companies will need to be cautious in how and when they transfer EU personal information from the EEA to the US. Meta to Appeal In response to the decision, Meta announced that it will appeal the ruling and the “unjustified and unnecessary fine.”[8] However, given the breadth of the decision, it seems unlikely that Meta will win on appeal. In the meantime, Meta announced that there would be “no immediate disruption” to Facebook in Europe, as the decision provides Meta with an implementation period. If that implementation periods runs out and Meta still lacks a valid legal mechanism by which to transfer data from the EEA to the US, then Meta may have to fragment their organization to ensure that EEA personal information largely remains stored in EEA databases.
[1] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf [2] https://noyb.eu/sites/default/files/2023-05/DPC%20Press%20Release.pdf [3] https://noyb.eu/en/edpb-decision-facebooks-eu-us-data-transfers-stop-transfers-fine-and-repatriation [4] https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf, at 7.51. [5] https://www.metaverse.law/2020/11/30/eu-us-data-transfers-after-schrems-ii-european-commission-publishes-new-draft-standard-contractual-clauses/ [6] https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7631 [7] https://noyb.eu/en/open-letter-future-eu-us-data-transfers [8] https://about.fb.com/news/2023/05/our-response-to-the-decision-on-facebooks-eu-us-data-transfers/
0
An image of the flag of Europe, which consists of twelve golden stars forming a circle on a blue field.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Data Transfers, EEA & UK, GDPR
**Update: On June 4, 2021, the European Commission formally adopted the new standard contractual clauses (“SCCs”) for international personal data transfers. Businesses will have a grace period of 18 months from the effective date of the European Commission’s decision to update all existing SCCs for transfers outside the European Union with the new SCCs. In the meantime, businesses will be allowed to keep using the old SCCs for “new” data transfers over a transition period of three months from the effective date of the European Commission’s decision — giving organizations the chance to make any changes necessary for compliance with the new SCCs before incorporating them into their contracts. Such contracts, however, will also need to be updated within the 18-month-grace period. On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”). These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post). Who can use the new SCCs? The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”). The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:
  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).
In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR. Finally, the structure of the draft SCCs allows for modular contract clauses. The updated clauses also allow additional parties to accede to the clauses, either as data exporter or data importer, by way of executing a specific annex. Previously, new parties were forced to use a wraparound framework of data transfer agreements which incorporated the SCCs in order to implement them as an appropriate safeguard for international transfers. All of these changes bring welcomed flexibility to these contracts. What else is new? The new draft SCCs are the first of their kind issued under the GDPR and, as such, reflect the GDPR’s requirements, whereas the old SCCs were drafted under the GDPR’s predecessor. Accordingly, the new SCCs impose more comprehensive transparency and notification obligations on the parties. In particular, a data importer will be required to notify the data exporter and, where possible, the affected data subjects if:
  • The data importer receives a legally binding request by a public authority, or,
  • The data importer becomes aware of any direct access by public authorities to personal data transferred pursuant to the SCCs.
Furthermore, the data importer will be obliged to exhaust all available remedies to challenge the access request if, after careful assessment, it concludes that there are grounds under the local laws to do so. In line with this new requirement of an assessment of the local laws following an access request, the new SCCs reiterate the need for a comprehensive assessment to determine whether the data transfer to a third country can reach an adequate level of data protection as required under the GDPR. According to the new clauses, the parties must take into account the specific circumstances of the transfer, any relevant prior instances of requests for disclosure by public authorities received by the data importer, as well as the laws of the third country of destination, particularly laws that require disclosure of data to public authorities or allow access by such authorities. What does this mean? While the new draft SCCs provide for specific safeguards in light of Schrems II, the new clauses do not relieve the parties from their obligation to assess and address the likely consequences of the third country’s laws. In effect, the draft SCCs thereby require the parties to perform a mini adequacy determination to evaluate whether the third country’s laws would prevent the data importer from complying with the SCCs in practice. This approach has already been criticized by stakeholders and practitioners alike as unwieldy, effectively placing the burden of adequacy decisions on private parties rather than government bodies. As only few legal possibilities remain for companies to secure their cross-border data transfers following Schrems II, the draft SCCs have been eagerly awaited. The EU Commission has provided this modernization of the old model clauses in order to better reflect recent developments in the digital economy as well as the widespread use of new and more complex processing chains. Whether the new draft SCCs can provide an adequate, as well as practical solution for businesses around the globe remains to be seen. What are the next steps? The draft clauses are subject to consultation with the European Data Protection Board (“EDPB”),  and are currently open for public consultation until December 10, 2020. Once formally adopted, the new SCCs will replace the previous clauses used by organizations for international transfers under the GDPR. Businesses will have twelve months from the date the new SCCs enter into force to replace any existing SCCs currently relied upon. As a result, businesses will need to assess their data transfer arrangements in the next year and replace their existing framework of standard contractual clauses with the new SCCs in order to continue making international transfers of personal data to affiliates and third parties located outside of the EEA. A Footnote on Article 28 Clauses Along with the new draft SCCs, the European Commission has also published draft standard contractual clauses between controllers and processors located in the EU. This draft contains clauses that a controller can impose on the processor in order to satisfy the contractual requirements that the controller is obliged to impose under Article 28 GDPR. The use of the European Commission approved Article 28 Clauses will not be compulsory and businesses may continue to use their data processing agreements between controllers and processors to satisfy the requirements of Article 28 GDPR.