Following-up on my earlier blog, here is a snapshot of the evolving post-Safe Harbor 1.0 world, and a few suggested eDiscovery strategies to avoid trouble. As EU officials sift through the impact of the recent European Court of Justice (ECJ) monumental ruling that eliminated Safe Harbor—the central mechanism US companies relied on to move personal data from Europe to the US – they are sharing their go-forward plans and giving some guidance to US companies caught in a never-never land.
At the heart of the ruling is thefundamental right of all Europeans to keep their personal data private, and a growing fear in Europe that once in the US, private EU data is not safe from US intelligence intrusions. Early indications are that European officials intend to go to the mat to require US companies and their government to respect this fundamental privacy right, so intensely valued by EU citizens.
A January 30th Line in the Sand.
The group of national data protection authorities (DPAs) and EU commission officials, known as the Article 29 Data Protection Working Party, declared January 30th 2016 as the target date for a US-EU data protection solution. As they continue to analyze the ECJ ruling and look for a solution with US authorities, the Working Party shared these key points heading into January:
- Paramount issue is mass and indiscriminate surveillance
- US companies should consider Model Contractual Clauses (MCCs) and Binding Corporate Rules (BCRs), alternative tools to the now defunct Safe Harbor
- Safe Harbor 2.0 is a possible solution
- EU Member States should help find a solution with US authorities.
- Nothing stops data protection authorities from continuing to investigate particular cases
Germany Taking a Hard Line.
On the heels of what appeared to be a grace period by the Working Party, the Hamburg DPA announced an immediate audit of companies like Facebook and Google. Barring data transfers to the US is a possible outcome. Hamburg has tangled with Google on privacy issues before. German data protection officials also said MCCs and BCRs, recommended by the Working Party, may not pass muster in Germany. Hamburg officials will not approve new requests for these mechanisms, depriving US companies of this alternative. Commissioner Casper of Hamburg advises US companies to consider keeping European personal data on servers in the EU to avoid trouble with European data protection laws in the future – a costly recommendation that could become reality.
Ireland Pursuing Facebook Complaint.
We will all watch the Irish Data Protection Authority investigation of Facebook, attempting to read the tea leaves on their determination’s influence across Europe. The DPA sprang into action last week, after the Irish High Court directed the agency to examine whether to suspend the transfer of Facebook users’ data from Europe to the United as requested in the now famous Max Schrems complaint.
EU Commission Guidance Coming Soon.
European Justice Commissioner Vera Jourova has said the commission will soon issue a statement on the ECJ ruling impacts and guidance for international data transfers, while not impinging national DPAs’ authority. The balance between European Union edicts and Member States agencies authority is a constant tightrope walk in the EU. Many hope the EU can avoid a patchwork of country-specific data protection mandates that would be onerous for US companies. Yet, early German DPA actions belie this wish.
Safe Harbor 2.0.
The two-year US Department of Commerce and European Union Commission negotiations on an updated Safe Harbor agreement—Safe Harbor 2.0 – seem to be speeding up. Many Silicon Valley companies are hoping this will be THE solution. The parties recently agreed in principle and expect to work out many details before their Mid-November meeting in Washington DC. Ms. Jourova says complying with the ECJ ruling and limits on U.S. intelligence access to Europeans’ personal data are key issues. Stricter Safe Harbor oversight and enforcement are expected to be in Safe Harbor 2.0.
Practical eDiscovery & Investigation Strategies.
Much will be revealed in the lead up to the January 30th line in the sand. In the meantime as you continue your eDiscovery and investigations, here are four EU strategies to consider.
- Preservation. Do “in place” legal holds for European data that lock down EU data right in employee mailboxes or EU servers. Avoid the practice of copying and storing European ESI in a US preservation repository. For mobile EU employees, look for technology solutions where you can search across both business and BYOD devices to execute “in place” holds.
- Targeted Collections. Be sure you do precise, targeted collections to avoid scooping up personal information in overly broad collections. Stay away from techniques like imaging the entire contents of hard drives.
- Segmented Read-only Review. Using eDiscovery technology, filter by metadata and key words to segment out protected EU data. Store that data in an EU repository, and have your US legal team perform their review via restricted access to that EU repository that prevents printing, downloading or streaming the data.
- Governance Compliance. During corporate investigations on things like fraud or corruption, take a focused approach to EU data collection, processing and review that eliminates irrelevant personal data from the process. If you use consultants for these projects, require that they have EU data centers.
Leading tools to support these strategies can be found at companies like AccessData.
Watch for another blog in this series to stay informed on developments leading up to the late January line in the sand.