NYLJ.COM |
Litigation | MONDAY, FEBRUARY 22, 2016 | S5
marcumllp.com/nylj
abide by it, not the U.S. government. More- over, American national security, the public interest, and law enforcement requirements all trumped the tenets espoused by the Safe Harbor, so the CJEU determined that U.S. government and other entities could dis- regard Safe Harbor principles in the event of a conflict. Moreover, the CJEU found that EU citizens could not pursue any U.S. legal remedies to obtain access to their transferred data or to demand the erasure of their per- sonal data once transferred.
What Has Happened Since Schrems?
Since the decision in Schrems, the Article 29 Working Party, the group of data protec- tion officials from each EU member state, has decided to allow businesses to continue trans- fers via alternative means, such as standard contractual clauses and binding corporate rules, while the details of the Privacy Shield are finalized.
Redefining Internal Roles.
Compliance with data privacy regulations touches every aspect of a company as well as its outside service providers. To get their “internal houses” in order, data privacy savvy enterprises have implemented protocols that require escalation to legal whenever data and privacy issues are implicated. Such organi- zations have benefited from the formation of cross-functional teams that include rep- resentatives from legal, compliance, risk, IT, and operations. These in-house, cross-border teams have mastered the laws of the juris- dictions in which their organization’s data resides and have developed protocols for responding to questions or concerns relat- ing to specific countries.
Some organizations have appointed a priva- cy officer to oversee this team. Further, lead- ing organizations have typically charged the privacy officer with addressing data privacy governance and ensuring that data privacy laws are considered when implementing busi- ness workflows and technology that implicate data access, storage, and transport.
Auditing Data.
In most organizations at the forefront of these data privacy concerns, the cross-border team has, as a preliminary matter, learned what data the organization creates and stores, where it is located, and how it is maintained. In particular, the teams have assessed the categories of data that the organization owns and the data’s sensitivity. The last preliminary question for these teams in each instance has been whether data rights are based on where the data subject is located or where the data itself is located.
Limiting the Need to Transfer.
After learning about their data, data pri- vacy leading organizations have studied how that data flows. Realizing that data security issues arise with every transfer of data, lead- ing organizations have designed strategies that limit the need to move data. Data cross- es borders readily and even imperceptibly, particularly with the increased use of cloud- based applications, social media and storage: Merely accessing data from the cloud could cause an unintended international transfer.
Some organizations have opted to nego- tiate the scope of discovery with opposing counsel. Where that has failed, organizations
have sought relief by citing proportionality considerations under the Federal Rules of Civil Procedure. In seeking such relief, the organizations in question have gathered information on the burden of compliance, including the time and resources required to retrieve the data, and the potential risks, such as fines or other sanctions from the rel- evant foreign nation. In such arguments, affi- davits from counsel or from a foreign officials detailing the burdens and civil or criminal ramifications of complying with the U.S. dis- covery rules have generally been viewed by courts as compelling evidence. Where these approaches have failed, organizations have sought protective orders covering the EU citizens’ data.
Conducting a Targeted Data Collection.
Where the need to collect personal data from EU custodians has been unavoidable, organizations have generally taken steps to process data in place and limit the need for transfer utilizing on-site e-discovery technol- ogy (or the local datacenter of its e-discovery services provider).
Most e-discovery software can identify personally identifiable information using keywords and sophisticated e-discovery tools such as advanced data detection and technology-assisted review, and filter out or redact sensitive information through use of automated redaction tools. Advanced search techniques can recognize certain patterns in documents, such as employee identification numbers, phone numbers, or account num- bers, and automatically redact all matching content from a document set. Alternatively, anonymization techniques can remove all personal identifiers, and pseudonymization techniques can obscure the data subject’s identity while still allowing multiple records to be linked to the same person.
Considering Potential Workarounds.
Organizations that have been unable to avoid cross-border transfers have generally sought to ascertain whether they can rely on other transfer avenues. In some cases, the Data Protection Directive has provided an applicable exception to the prohibition of data transfers, notwithstanding that DPAs have generally construed this exception narrowly. Consent has proven to be another option, though DPAs have frowned upon its use for collecting employee data given the perceived pressure employees may feel to comply with their employer’s wishes.
Organizations have also used two other alternatives: the standard model clauses and binding corporate rules. Organizations have found that the standard model clauses can ensure compliance, but they are strict and nonnegotiable. As for binding corporate rules, organizations report that they afford a more flexible, customized approach, but they are limited; binding corporate rules are designed to facilitate intragroup transfers for multina- tional corporations and do not cover transfers to external suppliers, such as cloud providers or e-discovery vendors. Further, experienced organizations note that the approval process can take up to two years.
Maintaining Data Security.
When determining how to protect data subjects’ privacy, organizations have also been forced to address data security con- cerns—both internal and exter- » Page S10
Reserve your ad space today in the
Partnership
Glossy Cover Special Report
please contact: Indera Singh
212- 457-9471
Phone:
[email protected]