In the Global War for Data Privacy, Germany, France and Norway Launch First Strikes under ‘The Shield’

Sara J. Agne
Snell & Wilmer
Contact
LinkedIn
Facebook
X
Send
Embed

In the comic book world, one is often either a DC person or a Marvel person. In the data privacy world, one could say the European Court of Justice ruling last fall inspired the switch from DC’s Aquaman’s (Safe) Harbor to Marvel’s Captain America’s (Privacy) Shield. (See the February 2, 2016, post here on the new privacy framework for transatlantic data transfers.) Except it’s American companies that are on the business end of the Shield.

It was an October 6, 2015 European Court of Justice ruling that declared the old Safe Harbor agreement framework invalid because the United States did not afford an adequate level of protection for the transfer of Europeans' personal data to the United States. (This day-of-the-ruling post discusses that in further detail.) With the Shield in place since early February but still being hammered out, the 28 E.U. Member States (along with Norway, Liechtenstein and Iceland—the European Economic Area member countries) have begun testing its strength.

Taking direction from the European Court of Justice ruling, the Shield requires U.S. intelligence services to observe new limits and supervision procedures when accessing Europeans’ data. But U.S. companies need to appear on the Shield’s registry, via annual self-certification, and plan to resolve any complaints within 45 days, if they seek to handle Europeans’ personal data. A free alternative dispute resolution system and a privacy shield panel that can take binding action are the steps that follow an unresolved consumer complaint.

Enhanced oversight and enforcement mechanisms through the U.S. Department of Commerce, tightened restrictions on re-sharing of Europeans’ data by U.S. companies and companies remaining responsible for end uses are other attributes of the Shield framework. Like federal health privacy laws, the Shield requires that only the minimum amount of European personal data necessary for the intended purpose be used.

Meanwhile, German regulators have sought to bring U.S. companies still trying to take advantage of Safe Harbor to the correct side of the Shield. The city-state of Hamburg was reported to be targeting three U.S. companies still relying on Safe Harbor as a framework for data transfers. France’s data protection authority made similar allegations about Facebook’s operations as to transatlantic data transfers. (Facebook strongly denies this.)

Finally, U.S.-based online dating app Tinder may be in trouble with the Norwegian consumer authority, apparently under both Norwegian and E.U. consumer and privacy law. The Norwegian Consumer Council took issue early in March with Tinder users not being able to delete their own accounts, while the app company can delete users’ accounts at will. It will certainly take time before the Shield is fully forged. In the interim, U.S. companies seeking to engage in transatlantic data transfers relating to E.U. citizens may wish to ensure that they have afforded themselves of all of its protections.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer
Snell & Wilmer
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Snell & Wilmer on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide