Several months ago, when the European Court of Justice ruled in favor of Max Schrems and overturned the Safe Harbor framework multinational corporations, and the legal and eDiscovery organizations that supported them, were left in a quandary about how to transfer data between their offices in the EU and those in the rest of the world. While the legal and business communities waited for a permanent solution, a series of workarounds and customary practices created a substitute framework, which while scrutinized by various regional and national Data Protection Authorities (DPAs), provided a workable solution.
And then, this spring, an agreement was reached, resulting in the draft language of The EU-U.S. Privacy Shield Framework, and it looked like the months of uncertainty were finally at an end. However, in the last few weeks, the challenges have begun to roll in, from both member states and from EU data privacy officials.
First, in his report released on May 30th, 2016, the European Data Protection Supervisor, Giovanni Buttarelli, determined that:
“The draft Privacy Shield may be a step in the right direction but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision. In particular, the EU should get additional reassurances in terms of necessity and proportionality, instead of legitimising routine access to transferred data by U.S. authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU, as affirmed by the Treaties, EU rulings and constitutional traditions common to the Member States.
Moreover, in an era of high hyperconnectivity and distributed networks, self-regulation by private organisations, as well as representation and commitments by public officials, may play a role in the short term whilst in the longer term they would not be sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world where many countries are now equipped with data protection rules.”
Buttarelli’s assessment aligned with the opinions of the Article 29 Working Party and the European parliament.
Then, last week, the Irish Data Protection Authority, called into question the Model Clauses that had provided a legal basis for the continuation of data transfers, particularly between the EU and the United States. A common opinion, and one expressed by Squire Patton Boggs, is that Model Clauses, while they remain viable will likely be a “short-lived, option.” The consensus within the legal community is that following the Irish regulator’s petition to the European Court of Justice and the Irish High Court to “seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under standard contractual clauses,” it will be just a matter of time before they are invalidated, leaving only direct consent and binding corporate rules as the options for transferring data between the EU and the United States.
Neither of these options, nor the lack of support for the Privacy Shield within the European Union offer much relief or guidance to corporations doing business in an interconnected environment. Beyond waiting for yet more clarification, what can be done? The best advice is to engage in constant education and building partnerships with legal and eDiscovery providers who have a presence in the EU as well as in the U.S.
Want to learn more about legal technology? Click HERE to subscribe to the Chronicle so that you never miss a post.