U.S. and EU tech companies at sea with end of data Safe Harbor

26.07.2016
Nobody is more aware of our shrinking world than technology executives. They are also in a good position to see that contradictory requirements in the areas of data protection and privacy have created a confusing patchwork that, at times, runs counter to a global marketplace that places a premium on close collaboration and the smooth transfer of digital information.

Most companies are extremely diligent about complying with their cybersecurity legal obligations, but wildly inconsistent laws make it difficult. Some of the inconsistencies can be traced to deep historical and cultural differences between the United States and Europe. In comparison to the EU, the United States has traditionally offered a far more open framework when dealing with information. In litigation, U.S. laws have typically been more about sharing — even erring on the side of being overly inclusive.

The most significant piece of U.S. federal legislation in this area is the Cybersecurity Information Sharing Act (CISA), passed last December. The stated purpose of CISA is to promote sharing about cybersecurity and new threat vectors between the government and the private sector. The underlying idea is to remove barriers that kept the technology industry, which often is aware of new viruses or technical threats before the public sector, from sharing the information with the government, in an effort to inform and warn the public.

Although the public would certainly benefit from this kind of collaboration, companies remain reluctant to share such information because CISA does not shield them from the possibility of a lawsuit. Further complicating things, complying with CISA could produce some very severe consequences if a company also conducts business in Europe and shares any personal data of EU nationals, since the EU has a much stronger tradition of nondisclosure.

Previously, companies could balance the competing responsibilities between the two marketplaces by relying upon an approved “Safe Harbor” regime that allowed them to officially sign up to confirm that they adhered to a framework that had been developed by the Department of Commerce (DOC) in the U.S. and the European Commission. This essentially meant that they gave binding promises to the DOC and the public that they complied with privacy policy requirements and provided adequate protections for personal data sufficient to allow transfers of personal data from the EU to the U.S.

However, Safe Harbor suffered a huge blow when the European Court of Justice ruled that the European Commission’s approval of the program was invalid. Unfortunately for technology companies, this means the Safe Harbor route is no longer a valid basis upon which personal data can be transferred from the EU to the U.S. Even worse, there is currently no clear guidance as to what will be a properly valid route to effect such a transfer.

While the European Commission and the DOC have agreed upon a new arrangement, known as the “Privacy Shield,” and that arrangement has just received formal approval, there remain a number of concerns and issues in relation to it. And responses from various data protection authorities across Europe have diverged which is likely to continue with the new problem of interpreting and applying the Privacy Shield requirements.

Technology companies now find themselves in a suddenly undefined EU marketplace in which data fines can vary by enormous amounts depending upon the jurisdiction. The clearest example of this is the case of Google. The Italian Data Protection Authority had previously hit the company with a €1 million fine for its Street View/Google Car activities in Italy. Because Google’s 2015 revenue was in the region of $74.5 billion, new EU fine levels being proposed could mean the company will face a fine of a whopping $3 billion.

As a result of the uncertainty that now reigns, organizations need to protect themselves now by reviewing their existing compliance levels across the board. It is crucial to verify the types of data that are held, what needs to be disclosed in relation to particular cyberthreats and whether this can be restricted or curtailed sensibly so that rights of action for data subjects do not arise, either in the U.S. or in the EU. 

Steven Rubin is a partner with Moritt Hock & Hamroff LLP in New York, where he serves as chair of the firm’s Patent practice group and as co-chair of its cybersecurity practice group. Stephen Milne is a consultant with Memery Crystal LLP in London, where he focuses on business law and commercial contracts, including outsourcing, agency and distribution agreements, joint ventures, tender responses, franchising, marketing, introduction, reseller and maintenance and support agreements and key ancillary issues such as data protection and cybersecurity.

(www.computerworld.com)

By Steven Rubin, Stephen Milne