0Q&A: The Privacy Shield
Q: Karen, what is the Privacy Shield and how did we get there?
The Privacy Shield is a new framework for the transfer of personal data from the EU to the US in compliance with EU privacy requirements.
European law restricts transfers of personal data to recipients in countries that have been found to have “adequate” privacy protections. The US is not one of those countries. Thus, US companies that transfer personal data from the EU to the US without using a lawful mechanism were violating EU law. In 2000, the European Commission and the US government established the “Safe Harbor” framework for these data transfers. Companies that self-certified adherence to the Safe Harbor framework could freely transfer personal data in the EU to companies in the US. Thousands of companies took advantage of the Safe Harbor.
After the Snowden revelations, the European Commission and US authorities discussed a new framework that would address the Commission’s demands that these transfers be adequately protected from access and use by the US Intelligence community. After the negotiations were well under way, a separate legal challenge to the Safe Harbor was mounted. On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor on the grounds that the original Commission’s adequacy decision (1) impeded member state Data Protection Authorities from investigating complaints involving data transferred under the Safe Harbor and (2) didn’t protect EU individuals’ personal data from surveillance by US intelligence agencies. The decision immediately created significant legal uncertainty and forced thousands of companies that relied on Safe Harbor to identify and implement an alternative legal data transfer mechanism.
As a result, the European Commission and the US negotiators broadened their discussions to address the ECJ ruling. On July 12, 2016, the European Commission ruled that the EU-US data transfers could proceed under the Privacy Shield, which ensures an adequate level of protection for these transfers.
The Privacy Shield only applies to EU-US data transfers. It does not apply to data processing in the EU.
Q: Is Privacy Shield open to any company?
The Privacy Shield is available only to companies subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT).
Q: What are the Privacy Shield’s key requirements?
Companies must self-certify to the US Department of Commerce their commitment to comply with the principles governing personal data handling. They include:
- providing individuals with a privacy policy containing information about the company’s data handling practices and participation in the Privacy Shield. These notices must be significantly more detailed than permitted under the Safe Harbor. Companies using the Privacy Shield must disclose their privacy policies and fully implement them;
- abiding by enhanced restrictions on onward transfers of data to third parties;
- complying with specific data retention requirements and new accountability requirements for data security obligations;
- providing individuals with certain options regarding how their data will be handled and ensuring they can access their data; and
- offering new recourse mechanisms for complaints.
There are additional requirements for certain types of data, including human resources data and data collected by pharmaceutical and medical device companies.
Q: What are the key differences between the Privacy Shield and Safe Harbor?
It is important to understand that the Privacy Shield is not a repackaged version of the Safe Harbor. Key changes include greater transparency, accountability for sharing data with third parties, new dispute resolution mechanisms, and penalties for noncompliance. The Privacy Shield also has stronger monitoring and enforcement by US authorities, including increased cooperation with European Data Protection Authorities, and a joint annual review by the European Commission and the US Department of Commerce.
Q: Do companies have to use the Privacy Shield?
No. The decision to use the Privacy Shield is voluntary. Companies may use other data transfer mechanisms, such as model contractual clauses, that are approved by the European Commission However, the validity of model contract clauses is currently being considered by the Irish High Court, with a likely referral to the CJEU.
Q: What do companies need to do to join the Privacy Shield?
The Privacy Shield is a self-certification system. To join, companies must provide a submission to the US Department of Commerce. Once it is reviewed and approved, the Department of Commerce will add the company to the list of participants posted on the Privacy Shield website (www.privacyshield.gov).
Before self-certifying, companies should assess their ability to comply with the Privacy Shield’s requirements and carefully review their current data handling practices and programs.
Q: Why should companies care?
US businesses that seek to transfer personal data from the EU to the US must have a legal mechanism in place to do so. The Privacy Shield is a streamlined mechanism for these data transfers with greater flexibility compared to other options.
Nonetheless, the Privacy Shield imposes substantial requirements on participants and may not be a data transfer solution for all companies. Businesses should discuss the pros and cons of Privacy Shield with their privacy counsel.
Q: Could the Privacy Shield be challenged?
Yes. Irish and French privacy advocacy groups recently filed challenges with the General Court of the CJEU. The General Court may reject the complaints on the grounds that the advocacy groups have not been directly and individually harmed. It is likely that further challenges to the Privacy Shield will be brought before Data Protection Authorities and member-state courts, though only a decision of the CJEU could invalidate it. However, the EU & US negotiators, acutely aware of this possibility, made a concerted effort to integrate enhanced safeguards to minimize the potential that the Privacy Shield will suffer the same fate as the Safe Harbor.
About Goodwin’s Privacy & Cybersecurity Practice
Goodwin’s Privacy & Cybersecurity Practice, established formally in 2004, leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial industry, licensing, litigation, investigations, regulatory, and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.
For more information about this update, or for other assistance regarding privacy and data security matters, please contact Brenda Sharton (Co-Chair, Privacy & Cybersecurity), Lynne Barr (Co-Chair, Privacy & Cybersecurity), Karen Neuman (Privacy lead in the D.C. office), or any member of the Goodwin Privacy & Cybersecurity practice.0Regional Case Summaries
California
Parties’ Agreement Determines Whether Court or Arbitrator Decides Arbitrability of Class Action Claims. In Sandquist v. Lebo Automotive, Inc., S220812 (Cal. July 28, 2016), the California Supreme Court held that the language of the parties’ arbitration agreement will govern whether a court or the arbitrator decides if the agreement permits classwide arbitration. In this employment discrimination and retaliation action, the arbitration agreement between employer and employee provided for any employment-based claim or dispute to be resolved through arbitration, but did not expressly address who would determine the availability of classwide arbitration. The court held that the agreement should be read to have the arbitrator decide on the availability of classwide arbitration because the arbitration clause was very broad, state law resolves doubts in favor of arbitration, and the agreement had been drafted solely by the employer.
Percentage-Based Attorneys’ Fees Permitted in Common Fund Cases. In Laffitte v. Robert Half International, Inc., S222996 (Cal. Aug. 11, 2016), the California Supreme Court held that in common fund cases, attorneys’ fees may be calculated as a percentage of the fund. The trial court in an employment class action had approved a settlement creating a $19 million fund and then had awarded class counsel fees equal to one-third of the settlement fund. The Court clarified that its decision in Serrano v. Priest, 20 Cal. 3d 25 (1977), which said that the lodestar method is the “starting point of every fee award,” was specific to fees awarded under a private attorney-general theory.
Personal Jurisdiction Found Over Non-residents’ Tort Claims. In Bristol Myers Squibb Co. v. Superior Court of San Francisco County, S221038 (Cal. Aug. 29, 2016), the California Supreme Court, by a 4-3 vote, upheld personal jurisdiction over an out-of-state defendant as to claims brought by 592 out-of-state plaintiffs. Although the defendant’s California contacts were insufficient to establish general jurisdiction, the court found specific jurisdiction over the nonresident plaintiffs’ claims on the theory that they arose out of a “single, coordinated, nationwide course of conduct.” The defendant has moved for a stay while it seeks review from the United States Supreme Court.
By Yvonne Chan
Delaware
Business Judgment Rule Applies Where Stockholders Approved Merger, Absent Conflicted Controlling Stockholder. In Larkin v. Shah, No. 10918-VCS (Ct. Ch. Aug. 25, 2016), the Delaware Court of Chancery held that a board’s approval of a merger will be assessed under the business judgment rule “if a majority of disinterested, uncoerced stockholders” approve the transaction absent a conflicted controlling shareholder. The court also rejected the claim that certain shareholders were “conflicted, controlling stockholders,” both because they had no “actual control” over the board and because their interest in monetizing their shares did not represent a conflict. This decision is essential reading concerning the effects of stockholder approval of proposed corporate transactions.
Company’s Limits on Shareholder-Director’s Access to Information Upheld. In Bizzari v. Suburban Waste Services Inc., No. 10709-JL (Ct. Ch. Aug. 30, 2016), the Court of Chancery considered the circumstances under which a stockholder who is also a corporate director may be barred from inspecting the corporation’s books and records. The Court granted Bizzari’s request to inspect certain limited financial records necessary to value his shares, but the court denied his request to examine other records that he had said were necessary to allow him to investigate mismanagement or wrongdoing, based on evidence that “convincingly established” his record of acting contrary to the interests of the corporation.
By Adam Chud
Massachusetts
Master Franchisor May Compel Arbitration Despite Not Being Party to Arbitration Agreement. In Brandao v. Jan-Pro Franchising Int’l, Inc., 2016 WL 2667632 (Mass. Sup. Ct. May 7, 2016), the plaintiffs, who were parties to a contract with an intermediate franchisor, alleged violations of the Wage Act and Independent Contractor Statute by the master franchisor. The master franchisor sought to compel arbitration of one plaintiff’s claims and to dismiss the other plaintiff’s claims under the arbitration and forum selection clauses in the plaintiffs’ contract with the intermediate franchisor. The Court found that because the contract was central to the plaintiffs’ claims, the plaintiffs “must be prepared to be bound in turn by the arbitration and forum selection clauses of that same contract.”
Waiver of Classwide Arbitration of Labor-Related Claim is Unenforceable. In Tigges v. AM Pizza, Inc., 2016 WL 4076829 (D. Mass. July 29, 2016), the U.S. District Court for the District of Massachusetts held that an employer cannot enforce a class action waiver in an arbitration agreement as against employees asserting labor-related claims. The court held that the waiver would violate the employees’ rights to concerted action under Section 7 of the National Labor Relations Act, even though the employees were permitted to opt out of the arbitration agreement containing the class action waiver. The decision followed a ruling by the Seventh Circuit but is contrary to decisions of the Second, Fifth, Eighth, and Ninth Circuits.
New York
Purchaser of Notes Lacks Standing to Assert Claims Under Champerty Statute. In Justinian Capital SPC v. West LB, AG, No. 155 (N.Y. Oct. 27, 2016), the New York Court of Appeals held that, under the champerty doctrine as codified in Judiciary Law § 489, the purchaser of certain notes that had previously declined in value lacked standing to assert claims relating to the notes. The court held, first, that an acquisition of notes or other securities is champertous if the purchaser’s primary purpose (or sole motivation) for entering into the transaction is to bring suit. The court then held that, although there is a safe harbor where the purchaser has a binding and bona fide obligation to pay a purchase price of at least $500,000 for the notes, that safe harbor does not apply if payment of the purchase amount is contingent on a favorable outcome of the lawsuit.
Arbitration Not Required Where Designated Arbitration Body Unavailable. In Moss v. First Premier Bank, 2016 U.S. App. LEXIS 15917 (2d Cir. Aug. 29, 2016), the plaintiff signed an agreement providing that any disputes with her lender would be resolved by arbitration before the National Arbitration Forum (NAF). When a dispute arose, however, the NAF refused to take it pursuant to a consent decree prohibiting NAF from accepting consumer arbitrations. The Second Circuit refused to compel the plaintiff to arbitrate, noting that “the agreement makes no provision for the appointment of a substitute arbitrator should NAF become unavailable.” This decision reinforces the need for including such language to ensure an arbitration forum.
“Reasoned” Arbitration Award Need Not Contain Detailed Analysis. In Leeward Constr. Co. v. American Univ. of Antigua, 826 F.3d 634 (2d Cir. June 24, 2016), the Second Circuit resolved the open question of what constitutes a “reasoned” arbitration award in cases where the parties have agreed that such an award is required. The court held that a reasoned award is “something more than a line or two of unexplained conclusions, but something less than full findings of fact and conclusion of law”– in other words, a reasoned award “sets forth the basic reasoning of the arbitration panel on the central issue or issues raised before it” but it “need not delve into every argument raised by the parties.”
By Jordan Weiss
Editor, Richard M. Wyner
Contributors
- /en/people/w/wyner-richard
Richard M. Wyner
Of Counsel - /en/people/g/giannotto-michael
Michael S. Giannotto
Retired Partner - /en/people/h/hanlon-william
William R. Hanlon
General Counsel - /en/people/m/matheny-iii-richard
Richard L. Matheny III
Partner - /en/people/m/metzger-carl
Carl E. Metzger
PartnerChair, Risk Management & Insurance - /en/people/r/rockers-joseph
Joseph P. Rockers
PartnerCo-Chair, Private Investment Litigation - /en/people/s/simes-jeffrey
Jeffrey A. Simes
Partner - /en/people/t/tully-mark
Mark E. Tully
Partner - /en/people/w/weiss-jordan
Jordan D. Weiss
PartnerCo-Chair, Private Investment Litigation