Jorge Peniche Baqueiro
Information Privacy Law
Ira S. Rubinstein
March 7, 2017
The EU and US approaches on privacy issues: the battle could escalate even more but find some convergence
Yale’s law professor James Q. Whitman has described the differences about privacy law approaches in the United States and Europe as a clash that has actually deeper roots. The core of the conflict is found, he argues, on the consideration that these cultures respectively pay to the fundamental values of liberty and dignity – a matter deeply concerned with their particular experiences, sufferings and traumas through history.
The distinction is not merely theoretical however. It has provoked some tensions, costly litigation and trade battles during the last decades following the rocketing of transatlantic data traffic. Well, the battle could have reached last year a new stage with the enactment, by both the European Parliament and Council, of the Regulation (EU) 2016/679. The General Data Protection Regulation (GDPR) will take effect on May 24, 2018 and it will repeal former Directive 95/46/EC.
Those experts in EU law know that the opted legal design and architecture is not only about semantics with regard to the use of the word regulation instead of directive. The GDPR aims to create a more unified framework, binding on the State parties, that substitutes the bunch of domestic legislations promulgated in implementation of the former directive.
This battle has seen some remarkable episodes and also some interesting truces. First, to guarantee adequate levels of protection and allow to send personal data to “third countries” outside the scope of the former directive, i.e. the European Economic Area, the US-EU Safe Harbor Framework was developed between 1998-2000. The European Commission issued then a crucial decision endorsing the “safe harbor scheme” by stating that US companies certified in meeting EU requirements were allowed to transfer data from the EU to the US. Nevertheless, the European Court of Justice held recently, in 2015, that the “Safe Harbor Decision” was invalid. As a consequence, the EU-US Privacy Shield was announced by both sides last year in order to provide stronger protections.
The GDPR introduces significant novelties and constitutes indeed a milestone towards a more robust protection. To mention a few: a broader scope of application for data controllers established outside the Union and stricter “valid consent” controls. But as the due date approaches and some on-going litigation cases are being now discussed in the American courts, some have raised concerns about the coming storm in the horizon.
Ricci Dipshan writing last February for the renowned legal news website “Law.com” pointed out, the issue of litigation-related international data transfers – new perils will be faced when personal data must be transferred from the EU to the US for use in e-discovery
In short, the GDPR forces e-discovery practitioners in the US to target the data, subject to discovery, in a narrow fashion. This imperative certainly is against odds the US common practice of taking the wholesale data sets and move it into the e-discovery process. Proportionality is the new king in the hill.
Practitioners Christian Schröder, Jeffrey McKenna and Renne Phillips have sailed into the GDPR sea in the search for options. They argue that articles 46 and 49 provide the most useful mechanisms for transfers to the US during discovery. EU Standard Contractual Clauses (SCCs), as proposed by the EU Commission, could be a good alternative for facilitating data transfers for smaller companies or one-off data transfers. On the bright side, as Article 49(1) didn’t include a restriction commonly used on domestic implementing legislations, there seems to be room to argue in favor of pre-trial discoveries as opposed to the concept of transfers only allowed for “pending litigation” and not mere controversy between the parties.
Although the main recommendation is a careful case-by-case assessment, which just for this reason seems to foster the deterrent goal pursued by the GDPR, Brian Corbin, assistant general counsel of legal discovery management at JP Morgan Chase & Co, notes that there is nothing new under the sun. Under the 2015 amendments to the Federal Rules of Civil Procedure and its similar requirement of proportionality in e-discovery there is sufficient overlap to have a good starting point for US practitioners and companies to approach data collection under the GDPR.
Probably there are more episodes to come in the battlefield of the way privacy law is understood in the US and the EU. Still, there seems to be also a compromise point, beneficial for the citizens indeed.
For more information
http://www.lexology.com/library/detail.aspx?g=27ae467a-e2ed-4efc-ba4d-16d74c95e661
http://www.law.com/sites/almstaff/2017/02/06/the-storm-on-the-horizon-4-things-to-know-in-prepping-for-general-data-protection-regulation/?slreturn=20170206133625