As we previously reported, on August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website.  Several hundred companies, including Microsoft, Salesforce, Panasonic Avionics, and Workday, have already self-certified and many others have submitted their applications and are awaiting DOC’s approval.  Those companies who submitted their applications before September 30, 2016 were granted a nine-month grace period to conform their existing contracts with third-party processors to the new onward transfer requirements under the Privacy Shield, thereby being allowed to achieve compliance sooner.

For those considering participating in the framework, the Privacy Shield website offers factual information about the framework, including instructions and details on how to join Privacy Shield, requirements of Privacy Shield participation, and administration of Privacy Shield Program.  Likewise, amidst some continued criticism of the framework in the EU, the European Commission published a Guide for citizens, outlining how the Privacy Shield guarantees individuals’ data-protection rights and what remedies are available for individuals who believe their personal data was misused in violation of the framework.

Specifically, the Guide provides detailed information on the following.


Continue Reading

Recently, the U.S. Court of Appeals for the Second Circuit sided with Microsoft Corporation and global privacy advocates in the case of In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056 (July 14, 2016), by holding that the issuance of a warrant to obtain private emails stored on a Microsoft server in Dublin, Ireland, constituted an impermissible extraterritorial application of the Stored Communications Act, 18 U.S. Code §§ 2701 et seq. (“SCA”).

The Microsoft decision coincides with a rise of international tension over the data privacy interests of foreign customers of U.S. electronic communications providers.  This tension was heightened by the Snowden revelations in 2013, sparking EU concerns about “unfettered” U.S. government surveillance, reaching a crescendo last October, when the Court of Justice of the EU, invalidated the fifteen year-old U.S.-EU Safe Harbor as not providing an “adequate” level of data protection. Thereafter, the U.S. and EU Commission rushed to develop a new EU-U.S. Privacy Shield Framework to replace Safe Harbor.

As some commentators have noted the Second Circuit’s ruling may incidentally help EU/U.S. data transfer mechanisms, including model contract clauses and the Privacy Shield program to survive this scrutiny. See Kenneth Withers, M. James Daley, and Taylor Hoffman, In Re Microsoft: U.S. Law Enforcement Not Entitled to Email Stored in Ireland (Aug. 28, 2016).  While the Second Circuit’s ruling temporarily defused an explosive issue in EU/U.S. data protection relations, it left unresolved a number of practical issues regarding cross-border government investigations under the outdated SCA.


Continue Reading

On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.

As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability.  Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.


Continue Reading