Copyright: maxkabakov / 123RF Stock Photo

On Fox’s Privacy Compliance & Data Security blog, associate Michelle Rosenberg provided a breakdown of the EU’s General Data Protection Regulation (GDPR), a widely discussed and substantive change to European data privacy rules going into effect on May 25, 2018. Michelle notes the global impact on companies large and small that possess, transfer and process personal data of EU individuals. She also provides an overview of the methods of compliance available to such companies, namely binding corporate rules (BCRs), model contractual clauses and certification mechanisms like Privacy Shield, in relation to EU-U.S. data transfers.

We invite you to read Michelle’s informative post.

In a letter dated May 16, 2017, the Internet Association, a trade group representing some of the largest internet companies in the country (and the world), pressed newly confirmed U.S. Trade Representative Robert Lighthizer to see their perspective on trade policies in the digital age.

Among the companies that the Internet Association represents are established giants such as Google, Amazon, and Facebook as well as those pushing the newest frontiers of Internet commerce, including Uber, Airbnb, and Dropbox.  This distinguished group of companies set forth six key principles that it asked Representative Lighthizer to consider implementing to defend and grow digital trade around the world.

First, the Internet Association calls for the creation of specific policies to clarify and support the cross-border transfers of information.  Specifically, the group highlights the need to eliminate requirements that data stored or processed in facilities located within the United States.

Second, the coalition requests that the Representative defend and promote the ‘balance’ achieved by current U.S. copyright laws.  The Internet Association cites the centrality of ‘fair use’ to web search, machine learning, data mining, and cloud technologies and notes that internet companies rely on safe harbors and liability limitations in copyright law as they push to create innovative new products and services.

Third, the Internet Association similarly lauds section 230 of the Communications Decency Act which insulates internet content host from liability for the ‘speech’ of its users.  As the letter notes, this protection, which fosters an environment of open discourse, is not realized in all countries.

Fourth, the group believes that streamlining customs procedures would foster growth in small and micro internet business who connect consumers to new goods from around the world.

Fifth, the Internet Association cautions that restrictions and outright prohibitions on access to the internet and specific digital services will negatively affect the U.S.’s strong internet economy and that the Representative should work to ensure non-discriminatory market access.

Finally, the group calls for the designation of a senior-level official to oversee digital trade matters and negotiations.

The Internet Association’s letter underscores that the internet sector of the U.S. economy is – and must remain – a focus of U.S. trade policy.  While the Internet Association represents some of the largest internet companies in the world, concerns over potential liability, customs delays, and non-discriminatory access to international markets are shared by all companies with an internet presence.  As the internet drives an ever growing sector of the U.S. economy, all companies must be ready to navigate their compliance with import and export barriers that are no longer merely physical.

Copyright: maxkabakov / 123RF Stock Photo
Copyright: maxkabakov / 123RF Stock Photo

The U.S. Department of Commerce and the European Commission announced the Privacy Shield framework to replace the invalidated U.S-E.U. Safe Harbor Agreement, but the agreement has not yet been committed to paper.

The Safe Harbor Agreement between the United States and the European Union permitted the importation of personal data from the E.U. by American businesses that self-certified as complying with the E.U. data protection laws. However, the E.U. Court of Justice (EUCJ) ruled in its October 6, 2015 decision in Schrems v. Data Protection Commissioner (Case C-362/14), that the Safe Harbor failed to protect Europeans and invalidated the Safe Harbor.  After the Safe Harbor was invalidated, businesses have been unsure how to legally continue to import data from the European Union to the United States.

The Privacy Shield is a new framework intended to govern the flow of data between the U.S. and the E.U. As of now, the details are still being worked out, but the negotiators involved in creating the Privacy Shield have outlined its broad principles.  The Privacy Shield will have three main components: (1) new corporate obligations for U.S. businesses to commit to robust obligations on data processing, (2) granting E.U. citizens redress to challenge alleged misuse of their data, and (3) limitations on U.S. government access to personal data.

The Article 29 Working Party (Working Party) will need to approve the Privacy Shield before it can go forward. The Working Party is an independent and enforcement oriented advisory board composed of representatives of the national data protection authorities (DPA), the European Data Protection Supervisor (EDPS) and the European Commission. It expects to have the documents to review the new Privacy Shield by the end of February.

In the meantime, the Working Party has announced that the DPAs will not be enforcing actions until March or April against businesses that rely on the invalidated Safe Harbor while the details of how to proceed are still being worked out. The Working Party provided some assurances that during the period of review and assessment transfer mechanism such as the Standard Contractual Clauses and Binding Corporate Rules (BCRs) can still be used to transfer personal data to the U.S. The Standard Contractual Clauses are form data transfer agreements approved by the European Commission, and BCRs are internal data processing rules binding on all members of a global corporate group to permit intragroup transfers of personal data.

However, virtually all transfers of E.U. personal data to the U.S. are still at risk as there is no guarantee of how things will shape out during this critical interim time. Thus, until the Privacy Shield is finalized, much uncertainty regarding the transfer of personal data from the European Union still exists.