[This is an update to a previous post about how to maintain compliance in EU-US cross-border ediscovery.]
On August 1, 2016, the EU Privacy Shield Agreement will take effect after months of debate over how US-EU data transfers should be handled. From 2000 to 2015, the US-EU Safe Harbor Agreement enabled transfers of personal data to US organizations if they met certain requirements. While the agreement was popular for US businesses, it failed to satisfy European privacy advocates and was ultimately deemed invalid in courts for insufficiently guaranteeing protection for individuals’ data.
Many consider the new Privacy Shield to be a different name for the same thing, but in reality the new requirements are designed to better match the EU’s data privacy protections. According to John Frank, Microsoft’s Vice President of EU Government Affairs, “[the] Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements.”
Some of the main ways that Privacy Shield differs from Safe Harbor are:
- Stronger Supervision and Enforcement. The former oversight system of self-regulation under Safe Harbor will be replaced by one that is more responsive and proactive. The Department of Commerce will begin to actively monitor compliance through tailored questionnaires, tests, and other approaches, while the Federal Trade Commission will better maintain a “wall of shame,” identifying those subject to Privacy Shield violations.
- Stricter Onward Transfer Requirements. Participation in the Privacy Shield comes with tightened conditions for onward transfers (also known as “re-exporting”), which occur when a business that has received PII then transfers it to a second recipient, like a partner or vendor. Third parties in an onward transfer are now required to provide at least the same level of protection as the Privacy Shield. That all sounds reasonable enough, but these stricter requirements will likely make the vendor selection process much more rigorous for companies dealing in EU data.
- New Process for Misuse of Data. EU citizens who believe their data has been misused will now have numerous options to pursue, including being able to report complaints directly to their local Data Protection Authority. The Privacy Shield also creates a new arbitration right for unresolved complaints.
While we wait to see how exactly the Privacy Shield will affect global ediscovery, companies can make sure they’re prepared today by following a few key steps
- Know your data. Knowing what kind of data you have and where it is will allow you to expedite searches for pertinent information and demonstrate a need to invest in processing tools that can handle data stored in unusual formats.
- Choose state-of-the-art review tools. The better the review tool, the more efficient and defensible the results will be. Risk-conscious organizations are investing in legal technology that will help them remain compliant with data privacy laws and reduce the chance of inadvertently leaking sensitive information, particularly in international litigation. Blackout, for example, is a redaction tool for Relativity that automatically redacts sensitive words, phrases, and patterns (PII, credit card numbers, etc.) from case documents, preventing accidental disclosure while significantly reducing review costs.
- Update policies immediately. Organizations dealing in cross-border data should immediately appoint Privacy Shield experts to update all data storage and transfer policies, especially around onward transfers, notice, and access. Existing vendor agreements should be revisited, and new policies put in place for the vendor selection process going forward. Like Safe Harbor, the Privacy Shield has a training requirement for employees who have access to EU citizens’ data, which can be used as the basis for a company-wide data security training module for global use. Clear, updated policies + rigorous training = compliance.
As we bid farewell to the Safe Harbor Agreement and anticipate the new, more secure Privacy Shield taking effect, it is more crucial than ever to implement policies and tools to ensure compliance without breaking the bank.
To learn more about how automated redaction can help you stay compliant under the Privacy Shield, contact firstname.lastname@example.org.