Follow ACC Docket Online:  

Summary Judgment: EU Data Protection

EMEA Briefings

In the wake of the revelations regarding data collection practices by the US National Security Agency, European regulators have cast aside the Safe Harbor agreement governing transfers of data owned by US-based companies in the European Union. This change is a symptom of a broader shift in a changing set of regulations in Europe. After over two decades under Data Protection Directive 95/45/EC, which has attempted to harmonize 28 different data protection regimes in each member state in the European Union, the European Commission decided there was a need for wholesale reform.  

As discussed in December's feature article EU Data Protection Gains a Sword to go with its Shield, the European Union will in 2016 adopt firm, binding regulation to replace the patchwork of provisions governing data security. 

The new Regulation will standardize the member states' differing approaches to data protection under a single law, and addresses issues not taken into account under the Directive, including developments in globalization, technological advancements and the digital economy. The European Commission aims to strengthen the rights of data subjects, give consumers greater control over their personal data, introduce stricter sanctions for data protection breaches, and make the new data protection law applicable to foreign companies with customers in the European Union.

One likely outcome of the regulatory shift will be renewed tension over discovery practices of foreign courts. In particular, the rigorous demands of e-discovery in US courts will face off with the newly defended right to privacy of European litigants. As the article states: 

In US litigation, the fundamental principle of broad discovery conflicts with the wide-ranging privacy framework of the European Union. US civil litigation under the Federal Rules of Civil Procedure (FRCP) is premised on the idea that expansive pre-trial discovery cuts to the heart of a dispute because it allows judges to focus on the legal issues with a well-developed record. European law is founded on the idea that citizens have a broad right to privacy, with little government intervention. While the discovery rules of the United States and the privacy laws of the European Union reflect a fundamental conflict between legal systems, the way that they have up until now clashed has been relatively narrow. The problem of discovery and privacy typically arose when a litigant in the United States requested documents stored in a European jurisdiction.

The outlook reflects a fundamental disparity in the way regulators from the United States and Europe treat privacy and the scope of discovery in litigation. From the article:

When the fundamental principles of American discovery and European privacy collide in a US court, judges must choose between adhering to the traditional discovery rules of the FRCP and respecting an EU litigant's legitimate right to privacy. American litigants clash against EU laws in a quest to obtain data that would otherwise be discoverable and now face a new, nightmarish prospect of being dragged into the EU's jurisdiction for noncompliance with the Regulation.

As for the future of the moribund Safe Harbor agreement, for now businesses operating in Europe and seeking to transfer abroad will want to follow advice from the June feature Transferring Personal Data out of the European Union: Which Export Solution Best Fits Your Needs

Model Contract Clauses

  • Simple to execute
  • Straightforward check-the-box solution 
  • Expressly recognized by all European Economic Area DPAs 
  • Applicable to data exports globally 
  • Both controllers and data processors can use these

Binding Corporate Rules

  • No limits geographically on data transfers within a group of companies
  • Recognized as the highest standard in data exports
  • Considered future-proofed because this mechanism is expressly mentioned in the recent EU data reform laws
  • May be used as a comprehensive data governance framework Both controllers and data processors can use these
See more on the EU's proposed data protection legislation in the December EMEA Briefing.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.