Blue EU flag fluttering in the wind

Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either

Image Credit: Capri23auto from Pixabay

On July 16th, 2020, privacy professionals scrambled after the Court of Justice of the European Union (CJEU) handed down its decision in Schrems II. The ruling invalidated the US-EU Privacy Shield agreement, which authorized transfers of data from the EU to the US for Privacy Shield-certified companies. Though the ruling on Privacy Shield was unexpected given that it was not directly at issue, such a decision is not without precedent or historical pattern. Privacy Shield itself was a replacement for the Safe Harbor framework that was invalidated in 2015 in Schrems I.

Now that the Privacy Shield framework has been invalidated, both data controllers and data processors are likely concerned about the next steps to take to ensure that any data transfers integral to its operations can continue. Although the U.S. Department of Commerce has indicated that it will continue processing Privacy Shield certifications, affected companies such as U.S. data importers and EU data exporters should quickly explore and adopt other transfer legitimizing mechanisms with their service providers and vendors in order to prevent any gaps in compliance.

Alternative Mechanism: Standard Contractual Clauses

Under the GDPR, data transfers to “third countries” outside the EU and international organizations are restricted unless validated by an approved mechanism to ensure that GDPR protection will follow.

Under GDPR Article 45, data transfers may be valid on the basis of an “adequacy decision,” where the European Commission has previously evaluated and determined that a third country provides “an adequate level of protection.”

GDPR Article 46(1) provides that, in the absence of an adequacy decision for the third country, other possible transfer mechanisms include Standard Contractual Clauses (SCC). SCCs, also known as “model clauses,” are sets of pre-approved and non-negotiable contractual provisions that both the importer and exporter must agree to.

SCCs are the primary mechanism for data transfers between EU and non-EU entities. This is because binding corporate rules (BCR) are traditionally reserved for intraorganizational transfers of data within multinational corporations, Article 49 derogations should typically only be used for limited, non-repetitive situations, and the other mechanisms listed under Article 46(1) (codes of conduct and certification mechanisms) have not yet been tested.

Evaluate on a “Case-by-Case” Basis

Even if using SCCs, the importer and exporter must complete a “case-by-case” analysis to determine if the laws of the third country provide an adequate level of protection or whether additional safeguards are necessary to meet the standards of the GDPR or the Charter of Fundamental Rights.

For instance, laws that allow presumptively broad law enforcement surveillance of personal data without a judicial review process will likely be non-compliant with the GDPR.

Given China’s recently enacted Cryptography Law, which provides for an encryption backdoor accessible to government actors, China may serve as an example of a third country where SCCs might not be able to automatically validate a cross-border data transfer. Since businesses operating in China may be legally required to provide data to government without requiring judicial approval, such a legal obligation would defeat the adequacy of SCCs as a transfer mechanism. The reliance on SCCs to validate data transfers might fail in such instances.

A similar analysis may have to be completed for US service providers. For instance, many cloud providers may fall under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, both of which govern surveillance programs like PRISM and UPSTREAM. The CJEU heavily scrutinized these programs in its decision to strike down Privacy Shield, finding that these programs were not subject to adequate judicial oversight and that EU citizens would be especially vulnerable given that the protections of the Fourth Amendment of the U.S. Constitution do not apply to EU citizens.

Moving Forward

What’s next on the horizon? Perhaps the third time is the charm.

It is foreseeable that the European Commission and U.S. Department of Commerce might again negotiate a third agreement. This new agreement will need to provide additional checks and balances and reassurances for EU individuals whose data is transferred to the US for processing, beyond the level provided for in the stricken-down Privacy Shield.

In an Opinion dated April 13, 2016, Article 29 Working Party (WP29), the predecessor to the current European Data Protection Board (EDPB), had already determined that one of Privacy Shield’s deficiencies was its failure to address “massive and indiscriminate collection of personal data originating from the EU” by US intelligence agencies. WP29 also expressed concerns that the Privacy Shield Ombudsperson was not sufficiently independent and powerful enough to be an adequate tribunal. It concluded by urging the Commission to improve Privacy Shield to provide equivalent protections as in the EU. Given that these concerns were telegraphed well in advance of Privacy Shield’s actual invalidation, the next framework must absolutely address these issues if it wishes to survive scrutiny. In the meantime, businesses should review their data transfer flows, remain agile and flexible in responding to developing law, and ensure that transfers are validated by multiple mechanisms as a contingency.

Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Image Credit: Gerd Altmann from Pixabay1

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Continue Reading Should Bar Associations Vet Technology Service Providers for Attorneys?
WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity strategy development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

Postal Customer Council Flyer - Data Protection Lunch and Learn on November 14

Metaverse Law to Speak at Postal Customer Council Lunch and Learn

Metaverse Law will be giving a zip talk and participating in a Q&A panel on Thursday, November 14 at the Phoenix Club in Anaheim, CA about Data Protection and Cyber Security.

The event itinerary includes registration at 11:00AM – 11:45AM, followed by lunch and a seminar which conclude at 1:30PM.

Registration details can be found at http://www.socalpcc.org/lock-it-or-lose-it.html.

Gold gavel on platform

Searching for the One Ring to Rule Them All: A Look at 8 U.S. Federal Privacy Bills

Image Credit: 3D Animation Production Company from Pixabay

This article is Part 1 of 2 in a series exploring proposed federal privacy laws in the United States. Part 2 will discuss the constitutional challenges facing not only a proposed federal privacy law but those facing existing state privacy laws as well.

As predicted in our Privacy Law Forecast for 2019, legislators have raced to introduce national privacy regulation in both the House and Senate this year.

In contrast to the European Union’s GDPR, a hodgepodge of sectoral laws govern privacy in specific industries: medical, financial, educational, and marketing sectors, among others. States have enacted laws to protect their residents. And on top of that, Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) grants authority to the FTC to enforce against unfair and deceptive acts and practices.

This all results in a confusing and burdensome “patchwork” of national, state and sectoral rules. (For more in-depth discussion on the current U.S. privacy regulatory landscape, please see American Privacy Laws in a Global Context.)

Given this regulatory environment, legislators are keen to put forth a single federal privacy law to standardize this “patchwork” and forestall the passage of dozens more state privacy bills. Some have set a deadline, hoping to pass a federal privacy law before the CCPA comes into effect on January 1, 2020. Since the start of 2019, lawmakers have introduced about 230 bills that regulate privacy in some way in either the House or Senate.

The following is a sample of comprehensive bills from both sides of the aisle. Though these bills are unlikely to pass committee, they indicate what policies lawmakers are considering in the current negotiations:

Title Introduction Date Sponsor Notes
American Data Dissemination Act of 2019 (“ADD Act”) January 16, 2019 Senator Marco Rubio (R-FL) This bill would require the FTC to submit recommended privacy regulations on “covered providers” (defined as any person that provides services over the internet) to Congress. If Congress fails to enact a law based on the FTC’s recommendations, the FTC would promulgate a final rule incorporating its proposed regulations. Only the FTC has powers of enforcement. This bill further allows for the preemption of state law.
Social Media Privacy Protection and Consumer Rights Act of 2019 January 17, 2019 Senator Amy Klobuchar (D-MN) This bill would require online platforms to inform the user of any data collection and use, offer the user a copy of their personal data, and allow the user to opt out of data tracking. The bill also requires breach notification within 72 hours of detection. Only the FTC and state attorneys general have the power to enforce violations.
Digital Accountability and Transparency to Advance Privacy Act (“DATA Privacy Act”) February 27, 2019 Senator Catherine Cortez Masto (D-NV) This bill would require companies to provide users with a fair processing notice and to allow users to access, port, or delete their own records. It would mandate users’ opt-in consent in situations involving sensitive data or data outside the parameters of the business-consumer relationship. Companies that collect data on more than 3,000 people a year and revenues greater than $25 million per year must appoint a Data Protection Officer (DPO). The FTC, state attorneys general, and any other officer authorized by the State to bring civil actions would have the power to enforce this law.
Own Your Own Data Act March 14, 2019 Senator John Kennedy (R-LA) This bill would require social media companies to have a “prominently and conspicuously displayed icon” that a user can click to easily access and port their information. It would characterize user account registration as a “licensing agreement” wherein the user would license the user’s data to the social media company.
Information Transparency & Personal Data Control Act April 1, 2019 Representative Suzan DelBene (D-WA) This bill would require any company to first procure users’ opt-in consent before processing sensitive data. Companies must also provide users with fair processing information. The bill requires companies to obtain third-party privacy audits and to submit the audits to the FTC biannually. Only the FTC would enforce this law. This bill further allows for the preemption of state law.
Balancing the Rights of Web Surfers Equally and Responsibly Act of 2019 (“BROWSER Act”) April 10, 2019 Senator Marsha Blackburn (R-TN) This bill would require providers of broadband internet access service and edge services to notify users of the providers’ privacy policies; obtain users opt-in consent in order to process sensitive information and opt-out consent for non-sensitive information; and prohibits providers from conditioning services on waivers of privacy rights. The bill further allows for the preemption of state law.
Privacy Bill of Rights April 11, 2019 Senator Edward Markey (D-MA) This bill would require companies provide users with fair processing information and the right to access, port, or delete their own records. Companies would be prohibited from offering “take-it-or-leave-it” arrangements or financial incentives in exchange for users’ personal information. Companies would also have to procure users’ opt-in consent before processing personal information. Under this bill, companies must designate an employee in charge of privacy/security compliance, no matter the size or annual revenue of the company. The FTC, state attorneys general, and individuals would be able to sue to enforce the law.
Do Not Track Act May 21, 2019 Senator Josh Hawley (R-MO) This bill would establish a national Do Not Track (DNT) system and require any website or application operator to search for a DNT signal upon connection. The bill would make it illegal to collect data from devices displaying a DNT signal. Only the FTC and state attorneys general have the power to enforce violations.

As we can see, the fault lines are clear and not surprising. Democratic lawmakers generally favor a private right of action for consumers to sue a company that has mishandled consumer data. Republican lawmakers are generally against including such a provision. Republican lawmakers typically favor an express right of preemption, so that a laxer federal privacy law may preempt stringent state laws such as the CCPA. Democratic lawmakers are largely against the inclusion of such provisions, unless the bill provides consumer rights equivalent in scope and depth to the CCPA.

Regardless of whether or not a federal privacy law passes, businesses and the courts have their work cut out for them. Constitutional and interpretive challenges will plague the reach of any state or federal comprehensive privacy law, making it difficult to assess coverage for overlapping sector, state, and federal rules.

Consequently, as we will discuss further in our next article, legislators should consider these constitutional challenges head on prior to passing the “one” best bill to rule them all. Without clearly articulating the scope of any privacy law (e.g. does it extend across state borders and internationally), its preemption over or exclusions for other laws (e.g. GLBA, HIPAA, COPPA), and its relationship to third parties that only touch data incidentally – any comprehensive legislation will just add to the quagmire of current laws.

1 2 3