Image of the entrance to the United States Supreme Court building.

Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?

Privacy Law , , , , , , , ,

Image Credit: MarkThomas from Pixabay.

[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]

by Amira Bucklin and Lily Li

In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.

This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.

The Privacy Conundrum

This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.

The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.

A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.

This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.

What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?

Continue Reading Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?
European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

GDPR, Privacy Law , , , , , , , , , , , ,

Image Credit: GregMontani from Pixabay.

**Update: On June 4, 2021, the European Commission formally adopted the new standard contractual clauses (“SCCs”) for international personal data transfers. Businesses will have a grace period of 18 months from the effective date of the European Commission’s decision to update all existing SCCs for transfers outside the European Union with the new SCCs.

In the meantime, businesses will be allowed to keep using the old SCCs for “new” data transfers over a transition period of three months from the effective date of the European Commission’s decision — giving organizations the chance to make any changes necessary for compliance with the new SCCs before incorporating them into their contracts. Such contracts, however, will also need to be updated within the 18-month-grace period.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Continue Reading EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses
Blue EU flag fluttering in the wind

Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either

GDPR , , , , , , , , , , , , ,

Image Credit: Capri23auto from Pixabay

On July 16th, 2020, privacy professionals scrambled after the Court of Justice of the European Union (CJEU) handed down its decision in Schrems II. The ruling invalidated the US-EU Privacy Shield agreement, which authorized transfers of data from the EU to the US for Privacy Shield-certified companies. Though the ruling on Privacy Shield was unexpected given that it was not directly at issue, such a decision is not without precedent or historical pattern. Privacy Shield itself was a replacement for the Safe Harbor framework that was invalidated in 2015 in Schrems I.

Now that the Privacy Shield framework has been invalidated, both data controllers and data processors are likely concerned about the next steps to take to ensure that any data transfers integral to its operations can continue. Although the U.S. Department of Commerce has indicated that it will continue processing Privacy Shield certifications, affected companies such as U.S. data importers and EU data exporters should quickly explore and adopt other transfer legitimizing mechanisms with their service providers and vendors in order to prevent any gaps in compliance.

Continue Reading Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either
Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

Cybersecurity , , , ,

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Image Credit: Gerd Altmann from Pixabay1

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Continue Reading Should Bar Associations Vet Technology Service Providers for Attorneys?
WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Events , , , , ,

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity strategy development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

1 2 3