S4 | MONDAY, FEBRUARY 22, 2016 | Litigation
| NYLJ.COM
Shockwaves of Uncertainty:
Managing Business Before EU Privacy Shield Takes Effect
BY GABRIELA P. BARON
In October 2015, the 2000 Safe Harbor framework that had allowed U.S. compa- nies to transfer European citizens’ personal data across borders for the past 15 years was invalidated, sending shockwaves across the Atlantic. As corporations await the final word on the new data privacy framework, it is use- ful to review the data privacy processes that organizations have implemented to weather out similar situations.
Four months ago, via the decision in Sch- rems v. Data Protection Commissioner, the Court of Justice of the European Union (CJEU) threw thousands of U.S. companies that have relied on the U.S.-EU Safe Harbor agreement for the past 15 years into uncharted terri- tory.1 In its decision, the CJEU invalidated the basis for EU approval of the 2000 Safe Har- bor framework under which U.S. companies were authorized to transfer personal data of European citizens to the United States after self-certifying that they would comply with European data protection standards.
On Feb. 2, 2016, the European Commis- sion announced a forthcoming framework, the Privacy Shield, designed to allow U.S. companies to continue to transfer personal data out of the European Union. The Privacy Shield is intended to impose stronger obli- gations in the United States to protect the personal data of Europeans and to encour- age stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with Europe- an Data Protection Authorities (DPAs). The decision containing the text of the Privacy Shield, which will address the requirements set forth by the Court of Justice in Schrems v. Facebook, may take another month to finalize. The agreement will go into effect immediately once the decision is rendered.
The ‘Schrems’ Opinion
The EU Data Protection Directive prohib- its the transfer of personal data to outside nations unless they provide an adequate level of protection for that data. In the EU, personal data is broadly defined as any data that would allow a viewer to identify the data subject, and a transfer includes the storage of EU personal data on U.S. systems. In 2000, the U.S. Depart- ment of Commerce and European Commission completed their negotiation of a Safe Harbor framework that set forth a series of privacy principles. U.S. companies that adhered to those principles were permitted to transfer the personal data of EU citizens to the U.S. without having to negotiate every transfer with the local DPA.
In Schrems, the CJEU was concerned that the Safe Harbor enabled the U.S. government to interfere with an EU citizen’s fundamental right to privacy. In short, the Safe Harbor bound only the companies that agreed to
GABRIELA P. BARON is a member of the New York bar and senior vice president at Xerox Legal Business Services, where she oversees global business devel- opment activities. She may be reached at Gabriela. [email protected].
iSTOCKPHOTO