Your single source for new lessons on legal technology, e-discovery, compliance, and the people innovating behind the scenes.

How Does the EU-US Privacy Shield Affect Cross-Border Discovery?

Chris Gallagher - D4

This article was originally published on D4's Discover More blog, and provides an interesting perspective on the history of the Privacy Shield and how it's impacting global e-discovery. This version is slightly abridged.

To improve is to change; To be perfect is to change often.

Up until recently, to think of the legal industry would not bring about thoughts of rapidly changing landscapes. The legal community is not what one would consider early adopters of anything. Lawyers by their very nature are risk adverse individuals, but in the last 10 years the legal landscape has seen more change than it has for hundreds of years previously. Electronic discovery and the associated services has gone from a burgeoning business to a $15 billion industry. Alternative legal service providers like Legalzoom and Rocket Lawyer are changing the way the public at large can access legal information. In addition, the rapid globalization of commerce has made the instantaneous sharing of data possible, while at the same time bringing to light the fundamental differences in cultural expectations of privacy.

Preparing for a panel discussion on the fate of cross border transfers of data usually takes little more than sitting down for 30 minutes and getting thoughts in order. Preparing for a panel discussion regarding cross-border discovery during the last year is an effort in legal research, making sure nothing has changed overnight.

History of EU-US Privacy Shield

By now most of us are familiar with the Facebook user and law student, Max Schrems. Max and his legal team momentously, albeit briefly, stopped 500 years of transatlantic communication when the court invalidated Safe Harbor, the primary mechanism for the previous 15 years used to transfer data. 

Although there always seemed to be grumblings of concern regarding Safe Harbor, the nail on the coffin that Schrems and his legal team relied on was the revelation by government contractor Edward Snowden of the shear breadth of the US surveillance programs. Once it came to light the vast amounts of data being collected on citizens of the world with very little exception or control, it all but ensured that the United States could not commit to being able to give EU personal data “adequate” protection levels, which is a necessary component of Safe Harbor.

The three months following that decision left thousands of companies in limbo as individual EU countries gave conflicting advice on their level of immediate enforcement of data transfers. Clear guidelines were absent and the disparate approaches of individual nations were as varied as their languages; from calls for fines and immediate enforcement to leniency and commitments to stay enforcement procedures until suitable guidelines were in place, there was no consistency of direction.  

After months of wrangling, the EU and US on February 2, 2016 finally announced that a framework had been reached called the EU-US Privacy Shield. The announcement contained a lack of specifics and not much more than the promise of addressing:

  • the handling of Europeans’ PII Data,
  • how US Government access to data would be curtailed, and
  • how the rights of EU citizens would be protected under the agreement.

The announcement was little more than fanfare and an exercise in smoke and mirrors used to buy time. Almost a month would pass before additional clarity was given and the seven guiding principles of the EU-US Privacy Shield were released: notice, choice, security, data integrity and limitation, onward transfer, and recourse/enforcement.

Enforcing the Privacy Shield

Arguably the principle with the most teeth and greatest specificity circled around the recourse and enforcement, which is discussed at length and itself has 6 avenues for redress.

  1. Those wishing to operate under the Privacy Shield must allow citizens of the EU with complaints to address concerns with the offending entities.
  2. Companies must have an independent dispute resolution mechanism in the EU or the US to investigate and attempt to resolve complaints.
  3. The Department of Commerce will verify that a participating company’s privacy policy abides by the privacy principles prescribed in the Shield. Those that don’t abide will not become certified, or will lose their standing if they already have certification. Seemingly this provides more enforcement teeth to the DOC than previously.
  4. Heavier weight will be given by the FTC (Federal Trade Commission) to complaints received from the dispute resolution groups appointed by the organizations.
  5. Cooperation by organizations is necessitated during any investigation of complaints by the local Data Protection Authorities.
  6. The Privacy Shield allows to a panel to address complaints not satisfactorily resolved by other means. A group of 20 arbitrators jointly selected by the DOC and the EU will find themselves assigned to binding arbitration and can impose “individual-specific, non-monetary equitable relief.” Each panel will consist of 1-3 arbitrators selected for the case from the pool of 20.

So how does this affect cross-border discovery?

As I mentioned earlier, the European view on data privacy is very different than here in the US. Centuries of war, the atrocities of the Nazis, and the close proximity of independent nations have all weighed heavy on their views. Additionally, the European system of discovery is fundamentally very different as they operate for the most part under a civil law system while the US relies on common law.

These two facts combined make the US approach to discovery appear far-reaching, over-broad, and woefully intrusive. Adding to an already complex discovery scenario, the addition of foreign entities causes the process to become unduly burdensome for US entities seeking to obey court ordered discovery for data residing overseas. In the US, with very few exceptions (unless you are part of a financial or telecommunications company which congress has passed laws to regulate), you are free to use the data collected as you see fit with little more than business considerations to keep in mind. The “how we use your data” section of contracts and corporate websites is much more a business concern than a legal one.

The EU on the other hand views PII as a human rights issue and has a complex system of rules and regulations that covers almost every aspect of the collection, control, and distribution of personal data. What is considered personal data is also very different, and goes far beyond merely names, birthdates, and the like. Generally personal data is considered almost ANYTHING that could be traced back to an individual no matter how unlikely. Also of note is that ‘processing’ of data is not what we would consider processing in the US relational to discovery, but rather any touching, formatting, changing, itemization is considered an act of processing.

Additional Ways to Transfer Data

Although not always easy, there are ways to get the data to the US to review for litigation or investigation. First, regarding processing of data, the easiest way is if the data subject gives knowing, unambiguous consent.

The three other ways to transfer the data would be under the safety net or Privacy Shield, Model Contracts, or Binding Corporate Rules (BCRs).

We’ve already discussed the Privacy Shield and its current limitations but let’s look at BCRs and model contracts. Model Contracts create a binding pledge between data importer and exporter: that the importer will comply with EU laws and allow audits of its data handling. These contracts are non-negotiable form contracts and work well, except for between a single corporate entity, because let’s face it, although we may like to you cannot contract with yourself.

The least likely method a company would choose would be the BCRs. These rules allow intracompany transfers all over the globe but require approval from each EU member state and requires considerable expense and often more than a year to put into place. The process is so arduous that less than 50 companies have this mechanism in place.

Each of the above has their benefits but none are without their respective challenges. The easiest way would be to contract with an organization that has in country data processing, hosting, and review capabilities so that way the transfers of private data could be minimized or excluded while reviewing data for US-based litigation. Once the relevancy has been determined, a stronger case can be made that because these documents have been viewed by attorneys they are less likely to contain PII and therefore run afoul of data protection rules.

The US and Europe have been communicating and sharing data since before the United States were united; the American Revolution, neither world wars, nor Max Schrem was able to stop the data transfers for more than a heartbeat as the free flow of information is too important in a global business environment. Just as virtually no data protection authorities made any movements during the time period between the demise of Safe Harbor and the rise of Privacy Shield, regardless of their warnings, it is unlikely as changes are made to the new framework that they would do so now. Perfection during these changing times is unlikely, but documented and relied upon procedures should keep companies safe from the most egregious infractions. The only constant we should come to expect regarding EU-US data transfer is change.

Chris has more than 15 years of relevant legal and technology experience and is known for offering D4's clients innovative techniques to solve their various e-discovery challenges. He is a frequent speaker at law firms, conferences, and colleges on these topics. Prior to joining Special Counsel, Chris was general counsel and vice president of operations for an offshore software development and outsourcing company. He graduated from Providence College and Touro Law Center, with a bachelor’s and Juris Doctorate.