EU-U.S. Privacy Shield

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.
Continue Reading

In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011  International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor.  It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018.  Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.

Given the complex and dynamic EU data protection  landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition.  This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings.  Following are the publication’s Six Transitional International Litigation Principles:


Continue Reading

Yesterday, President Trump signed Executive Order: Enhancing Public Safety in the Interior of the United States (Jan. 25, 2017). The Order states as its purpose “interior enforcement of our Nation’s immigration laws.” Section 14 of the Order calls for denial of any rights under the Privacy Act of 1974 to any non-U.S. citizen, “to the extent consistent with applicable law.”

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Over the course of last year, the Obama Administration undertook a big task of putting in place the new cross-border data transfer framework, EU-U.S. Privacy Shield, which involved months of drafting and negotiations with the EU authorities and the validity of which is still being challenged by various EU privacy groups. The Privacy Shield’s provision of comprehensive privacy protections was key to ensure that cross-border commercial data transfers continued after the invalidation of the Safe Harbor framework in October 2015. The Privacy Shield was open for self-certification to business on August 1, 2016, and hundreds of companies have joined the framework since that time.


Continue Reading

In his last week in the Office, President Obama issued a report on data privacy and cybersecurity, “Privacy in Our Digital Lives: Protecting Individuals and Promoting Innovation” (January 2017). The report serves as a high-level overview on how people’s interaction with technology has changed in the last several years and what the government has done to protect individual privacy while advancing economy and national security. The report also highlighted the path forward. Many of the initiatives currently in the works or yet to come will require strong cooperation between the government and the private sector.

Some of the data-privacy highlights pointed out in the report are:

  • Financial Privacy. The BuySecure Initiative announced by President Obama in 2014, which encouraged the deployment of new security technology (e.g., chip-and-PIN cards) for payments made in the United States.
  • Broadband Privacy. New rules approved by the Federal Communications Commission (FCC) that give consumers more control over how Internet Service Providers (ISPs) use their data, requiring ISPs to obtain user consent before sharing sensitive information they collect with advertisers and other third parties.
  • Drone Privacy. Six Federal entities that use government-operated drones – the Departments of Defense, Homeland Security, the Interior, Justice and Transportation, and the National Aeronautics and Space Administration – have put in place privacy policies for their use of drones pursuant to President Obama’s 2015 Presidential Memorandum on safeguarding privacy in domestic use of unmanned aircraft systems.
  • Children’s Privacy. The Children’s Online Privacy Protection Act (COPPA), enacted in 1998, was modernized in 2012 to address changes in technology and better protect online privacy of children under the age of 13.
  • Student Privacy. President Obama’s Student Privacy Pledge has been signed by over 250 companies, including some of the Nation’s largest, that have agreed to limit collection and sharing of student data.
  • International Commercial Privacy. The Obama Administration has undertaken a big task of putting in place the EU-U.S. Privacy Shield framework, which involved months of drafting and negotiations with the EU authorities. The Privacy Shield’s provision of comprehensive privacy protections, backed by FTC enforcement, was key to ensure that cross-border commercial data transfers continued after the invalidation of Safe Harbor.
  • Legislative Reforms. In 2015, President Obama signed into law the USA Freedom Act, which ended the U.S. Intelligence Community’s collection of bulk telephony metadata under the USA Patriot Act. The USA Freedom Act creates a more targeted approach whereby the government would generally require judicial permission to access call records held by telecommunications providers.

The Report also included “Areas for Further Attention,” which the Obama Administration hoped the new Administration would focus upon. These Areas are as follows:


Continue Reading

As we previously reported, on August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website.  Several hundred companies, including Microsoft, Salesforce, Panasonic Avionics, and Workday, have already self-certified and many others have submitted their applications and are awaiting DOC’s approval.  Those companies who submitted their applications before September 30, 2016 were granted a nine-month grace period to conform their existing contracts with third-party processors to the new onward transfer requirements under the Privacy Shield, thereby being allowed to achieve compliance sooner.

For those considering participating in the framework, the Privacy Shield website offers factual information about the framework, including instructions and details on how to join Privacy Shield, requirements of Privacy Shield participation, and administration of Privacy Shield Program.  Likewise, amidst some continued criticism of the framework in the EU, the European Commission published a Guide for citizens, outlining how the Privacy Shield guarantees individuals’ data-protection rights and what remedies are available for individuals who believe their personal data was misused in violation of the framework.

Specifically, the Guide provides detailed information on the following.


Continue Reading

Recently, the U.S. Court of Appeals for the Second Circuit sided with Microsoft Corporation and global privacy advocates in the case of In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056 (July 14, 2016), by holding that the issuance of a warrant to obtain private emails stored on a Microsoft server in Dublin, Ireland, constituted an impermissible extraterritorial application of the Stored Communications Act, 18 U.S. Code §§ 2701 et seq. (“SCA”).

The Microsoft decision coincides with a rise of international tension over the data privacy interests of foreign customers of U.S. electronic communications providers.  This tension was heightened by the Snowden revelations in 2013, sparking EU concerns about “unfettered” U.S. government surveillance, reaching a crescendo last October, when the Court of Justice of the EU, invalidated the fifteen year-old U.S.-EU Safe Harbor as not providing an “adequate” level of data protection. Thereafter, the U.S. and EU Commission rushed to develop a new EU-U.S. Privacy Shield Framework to replace Safe Harbor.

As some commentators have noted the Second Circuit’s ruling may incidentally help EU/U.S. data transfer mechanisms, including model contract clauses and the Privacy Shield program to survive this scrutiny. See Kenneth Withers, M. James Daley, and Taylor Hoffman, In Re Microsoft: U.S. Law Enforcement Not Entitled to Email Stored in Ireland (Aug. 28, 2016).  While the Second Circuit’s ruling temporarily defused an explosive issue in EU/U.S. data protection relations, it left unresolved a number of practical issues regarding cross-border government investigations under the outdated SCA.


Continue Reading

On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.

As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability.  Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.


Continue Reading