All posts in Legal Developments

An overview of Sapin II

by James Farnell on July 10, 2017 in Legal Developments, News with No comments

Fraud, corruption, bribery. Across the globe, these challenges hit close to home for legal and IT professionals regularly called on to collect, analyze and produce data in support of an active investigation or compliance audit.

In France, game-changing legislation is taking effect to strengthen anti-corruption efforts and U.S. businesses with global operations need to be prepared. The provisions of new anti-corruption legislation, Sapin II, have just come into force in France (as of May 2017). Sapin II, adopted on November 8, 2016, is modeled on the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.

SAPIN II: THE KEY TO CLOSING LOOPHOLES IN FRANCE

In 2005, Sapin II was first proposed and named after Michel Sapin, a French politician and France’s Finance and Economic Minister. Like many countries, France has attempted to combat fraud through multiple anti-corruption laws. However, these laws had several loopholes. The main aim of Sapin II was to strengthen existing anti-corruption legislation by implementing provisions that would close existing loopholes in France’s anti-corruption laws.

Sapin II is a comprehensive anti-corruption framework, some parts of which are more important than others. Below are a few key provisions of Sapin II, along with brief explanations.

1. France’s Expanded Jurisdictional Reach: Prior to Sapin II, French prosecutors had limited jurisdiction in bribery cases. Sapin II removed these restrictions and gave criminal prosecutors the opportunity to charge more offenders in bribery cases.

2. Creation of the French Anti–Corruption Agency (AFA): Sapin II created a new administrative agency known as the AFA. The AFA has replaced the Central Service for the Prevention of Corruption (SCPC). It is monitored by a presidential appointee and a sanction commission. The AFA has four major responsibilities:

Prevent and detect corruption in the private and public sector;
Help companies implement compliance programs that are required;
Report violations of the law to prosecutors; and
Oversee the monitorships of corporations.

The AFA sends informative reports to the Justice and Budget Ministries to work together to keep up with fraud and anti-corruption strategies.

3. Compliance Program Requirement: Under Sapin II, a company must have a compliance program in place when there are more than 500 employees and the company has a gross revenue exceeding 100 million euros. This is applicable to both French subsidiaries and non-French companies who fulfill the above criteria. There are eight criteria that must be met in order for a compliance program to be deemed to be sufficient by the AFA. The most important criteria are that there must be corporate risk mechanisms and disciplinary procedures in place. Failure by a company to have a compliance program could lead to directors and managers being sanctioned by the AFA.

4. Whistleblower Protection Provision: Sapin II protects those who with good faith report against those who have violated any of France’s laws, international treaties where France is a party, or have threatened the public interest. In order for the whistleblower to receive protection he or she must notify a supervisor directly or indirectly. If the issue is not resolved within a reasonable amount of time then external parties may be notified and if three months have gone by and it is still not resolved, the public may be notified about the violation. Retaliation against a whistleblower can lead to both criminal and civil punishment.

5. French Deferred Prosecution Agreements (DPA): Sapin II’s DPA is modeled on the U.S. DPA. French corporations are forced to argue facts that have been listed by the DPA. Whether a corporation is punished depends on the judgment from a court through a public hearing. If found guilty, a fine of 30 percent of the company’s average revenue for the past three years must be paid to the French Treasury.

6. New Criminal Offenses and Bribery: It is now a crime for any company or individual to offer a donation, gift or reward to sway a public officer to abuse their discretion with public authority or government. This new criminal offense combines both French criminal law and anti-corruption efforts to stop and prevent fraud.

SAPIN II AND EDISCOVERY TECHNOLOGY

As legal and technology professionals in law firms and corporations begin to work under the new provisions of Sapin II, it will be increasingly important to turn to technology solutions to audit compliance programs and investigate fraud. Of particular interest within Sapin II, is the requirement that companies implement a procedure for assessing the effectiveness of a particular compliance program. The review of corporate electronic communication is one way of ensuring that organizations are complying with anti-corruption laws and ediscovery technology can be a critical piece of a thorough compliance audit. For example, the data analytics features in many leading ediscovery review platforms can help detect hidden or emerging compliance risks under anti-corruption laws.

In addition to assisting with a compliance review, legal professionals have increasingly leveraged ediscovery technology to facilitate the investigation and analysis of specific fraud matters. For example, in sensitive investigations, companies can rely on computer forensic experts to collect data and make use of mobile ediscovery technology which allows data to be processed, hosted and reviewed at the company’s premises, if need be. Data need not leave the premises while a sensitive investigation is underway. Most importantly, in France or anywhere around the globe, companies need to seek guidance from local experts to assist in the navigation of local data protection laws and with the collection, processing and analysis of electronic evidence in investigations and litigation.

Whether fighting fraud in France, investigating money laundering in Brazil or collecting data from a Chinese subsidiary in a U.S.-based litigation, organizations all over the world can manage a wide range of business and legal challenges using ediscovery technology.

James Farnell, KrolLDiscovery, Legaltech News

Editor’s note: this article originally appeared in Legaltech News.

About James Farnell

Qualified solicitor (commercial and intellectual property law) with four years international business development experience following four years of legal practice. Experienced in analysis and research of new business opportunities and developing new business strategy. Excellent project and people management skills. Successful record in developing new business products and revenue streams within the legal sector.

What you need to know about China’s Cybersecurity Law

by Lauren Grest on June 9, 2017 in Legal Developments with No comments

In June 2017, the People’s Republic of China is implementing its controversial Cybersecurity Law. The government is becoming more involved with data protection and strengthening enforcement. Up until now, its current rules have not been clearly defined or regularly enforced, so it is important to keep up with developments or risk getting caught off guard.

Unlike Japan’s focus on protecting data, China turns its attention to the network operators managing data. Below are some key facets to its new policy.

1. Data stored in mainland China: The new law insists that Chinese citizens’ “personal information” and “important data” be stored on servers within its borders. Any companies claiming an exception that is “truly necessary” must undergo a security assessment before information can be released.

2. Law applies to network product and service providers: The majority of the new law’s provisions apply to “Critical Information Infrastructure Operators” (CIIO) possessing data critical to China’s security. Industries predominantly targeted in this new definition include financial, transportation, health care, utilities and telecommunications.

3. Stronger data protection provisions: Supplementing existing data privacy guidelines in China, network operators must first obtain their clients’ consent before collecting and disclosing personal information, including the reason for the disclosure, and take measures to ensure the security of personal information.

4. Security examinations: All network providers must pass a “network security examination.” This includes specific requirements that network operators must follow when purchasing new network systems.

5. Severe consequences for noncompliance: While specific penalties are unknown at this time, cancellation of a business license is part of the current regulations. Additionally, the new regulations require CIIO’s to establish violation reporting mechanisms, suggesting that China is taking the new law very seriously.

As legal and technology professionals in law firms and corporations prepare for the data protection implications of the EU GDPR, do not disregard important changes afoot in Asia. Most importantly, seek guidance from local, in-country experts, prepared to help you collect, host and transport data in investigations, litigation or regulatory matters around the world.

About Lauren Grest

More Posts (35)

The lowdown on Japan’s APPI amendment

by Lauren Grest on May 25, 2017 in Legal Developments with No comments

On 30th May 2017, Japan’s historic Act on the Protection of Personal Information is going to be amended (APPI) . The APPI in its current form has been unchanged since the early 2000s and is one of Japan’s oldest data protection laws. The decision to amend APPI are, like other forthcoming updates to data protection legislation like the the GDPR, is in reaction to rising data volumes, increased data breaches and increased concern over privacy.

What does the amendment change?

1. Creation of the Personal Information Protection Commission: The amended APPI went into partial effect in 2016, creating the Personal Information Protection Commission (PPC) as a central, independent regulatory authority with enforcement powers.

2. Two new classifications: Two information classifications will determine whether data can be transferred and if the owner of that information can give consent to its transfer: sensitive information and anonymised information. Sensitive information (information about a person’s race, creed, social status, medical records, criminal history, etc.) receives enhanced regulatory protection, with the person’s content required before such data can be transmitted. Anonymised information (personal information where there is no possibility of identifying the person) can be transmitted with restrictions but without the express consent of the individual.

3. “Opt-in” is now “opt-out”: The current rules require the user’s permission before personal data can be transferred. Under the amendments, companies can share data without permission if they disclose certain information to the user beforehand, such as the nature and purpose of the personal data being provided, and the way the data is being provided. The company transferring the information must also give the user the option to opt out of the transfer before it occurs. Businesses must disclose to the PPC if they will continue to default to an “opt-out” policy, or change the process transferring information to a third party. The PPC will make these changes known to the public.

4. International data transfer policy: For the first time, the APPI will address international information-sharing. Any company transferring personal records outside Japan’s borders will need the user’s permission, and opting out will not be an option unless the foreign jurisdiction has similar privacy standards.

5. Sanctions for noncompliance: The PPC is enacting a two-tiered criminal penalty measure into the APPI and its guidelines. A negligent violation will bring about an enforcement notice ordering the company to either correct the issue or halt data transfer operations. Failure to comply may result in imprisonment up to six months or a fine up to JPY 300,000. Intentionally stealing or providing personal information for a dishonest purpose may result in a direct penalty of up to one year in prison or a fine up to JPY 500,000.

Companies and law firms who are processing data in Japan will need to be pro-active and vigilant in order to comply with these changes. For truly international companies who are preparing for GDPR, the changes will mesh well with their compliance plans. For smaller companies or those operating only in Japan, it is like to be more of a challenge.

Big data: high financials rewards, high regulatory risks?

by Lauren Grest on March 28, 2017 in Legal Developments with No comments

In a 2013 survey of 400 companies, management consultancy Bain & Company, found that companies using data analytics were:

Twice as likely to be in the top quartile of financial performance within their industries
Three times more likely to execute decisions as intended
Five times more likely to make decisions faster

Fast forward to 2018 and data analytics is firmly entrenched within many companies to the extent that it has attracted the attention of the regulatory authorities. The European Commission, the Competition and Markets Authority and the French Authorite de la Concurrence have all stated that big data and the competitive advantage it can give is a top investigative priority for 2017 and beyond.

How can big data give unfair competitive advantage?

Big data as an asset

Margrethe Vestager, the European Commissioner for Competition is currently considering revising merger control thresholds to include a threshold pertaining to non-turnover related big data holdings. Although the Commission previously incorporated the value of data into previous merger control investigations, this has largely involved companies where big data generates significant revenue. However, a company could acquire a business with a small turnover and large amount of user data, the new owner could exploit this data and reduce competitiveness that market place.

Big data pooling

Although sharing data is not forbidden per se, the way companies share data can breach competition rules. Companies can use big data to place themselves in dominant position over competitors. For example, if a company wants to diversify its offering and move into new areas, it can use data held on current customers to promote the new business. For instance, Uber’s access to users of its lift-sharing service can be used to promote other ventures such as UberEats. This gives Uber an unfair advantage over other providers offering a similar takeaway food business but lacking the data from such a large customer base.

The regulatory authorities take these violations seriously and are imposing significant fines. Most recently, the Belgian Lottery was fined €1 million for using a data base of customer contacts to promote a new sports lottery game.

A new form of white collar crime?

The formation of so-called digital cartels is predicted to be one of the biggest challenges regulators will face in the future. Digital cartels arise from companies using automated pricing systems. These digital tools automatically calculate prices according to a set of criteria such as supply versus demand, profit targets and so forth. Increasingly, these systems use machine learning technology. This can lead to the situation where two rival companies use the same pricing technology and react identically to changing market conditions. This results in prices being unintentionally fixed and the law being violated.

Getting value from big data without incurring fines

When it comes to the formation of digital cartels, prevention is complicated. Automated pricing systems are widespread and manual pricing models are unlikely to make a comeback. For regulatory authorities, who are reliant on laws written in the pre-digital age, enforcement is a greater challenge. However, Vestager has suggested a new directive might follow later in 2017 which may bring clearer rules and stricter enforcement.

Other streams of revenue enabled by the collection and analysis of big data are more easily policed. For companies who rely on sharing information for product development, Vestager recommends referring to the Commission’s guidelines on horizontal cooperation which shows companies how to share data in a way that doesn’t reduce competition.

She also discussed ways for companies to share information with competitors anonymously in a way that doesn’t harm their own business interests such as sending information to a platform anonymously. In return, they would receive aggregate data with no indication of which company it comes from.

In conclusion, competition enforcement is changing, and fast. Companies who use big data and smaller companies who hold big data should but don’t actively use it should closely monitor the Commissions announcements over the next few months in order to prepare for any changes. Watch this space!

[1] http://www.theregister.co.uk/2015/08/21/forget_big_data_hype_says_gartner_as_it_cans_its_hype_cycle/

[2] https://ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/big-data-and-competition_en

About Lauren Grest

More Posts (35)

Brexit and data protection

by Lauren Grest on June 24, 2016 in Legal Developments, News with No comments

As the world contemplates the ramifications of the EU referendum, we’ve speculated as to how Brexit might change the way our clients handle data transfers in litigation and investigations.

What legislative regime would govern the UK?

The UK currently operates under the Data Protection Act 1998, which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain has voted to leave the EU it is likely that the Data Protection Act 1998 will remain unchanged at least during the transition period.

For businesses operating solely within the UK, this means business as usual. However, things become complicated when a business needs to transfer data to or from another European country.

The EU is currently in the midst of replacing the General Data Protection Directive with the General Data Protection Regulation (GDPR) and had Britain voted to remain, British businesses would have had to comply with this new, tougher legislation which includes:

Increased fines, up to 4% of the annual global turnover
A “Privacy by design” provision requiring that data protection is designed into business services. Companies will need to ensure they are adopting measures to protect data right from the start of a client engagement.
Explicit consent being obtained for the collection and processing of data.
The appointment of an independent Data Protection Officer.
A “Right to be forgotten”. A client has the right to request the erasing of personal data. Companies will need to take steps to understand how they can comply with such a request.
A prohibition on data being transferred outside the EU without approval from the relevant supervisory body.

However, Brexit is not simply a case of “in” or “out” and much of the potential consequences of leaving depend on whether or not Britain becomes part of the European Economic Area (EEA) or completely severs ties.

If Britain becomes part of the EEA, this would afford Britain the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR. In business terms, this would make data transfers somewhat easier, assuming the EU found the UK’s safeguards to be appropriate. However, this would mean that the UK would still be subject to the DPD and from May 2018, the GDPR, when transferring data across borders to comply with legal obligations in other countries.

An EU-UK Privacy Shield?

If the UK does not become part of the EEA, the UK would probably have to negotiate an agreement similar to the EU-US Privacy Shield in order for UK companies to continue to transfer data between the UK and countries in the EU.

In this scenario it is likely the Article 29 Working Party would suggest similar terms to the US:

An ombudsman to handle complaints from EU citizens about the UK security services accessing their data.
UK Security services / the Home Office to provide written commitments that Europeans’ personal data will not be subject to mass surveillance.
An annual review or audit to check the new system is working properly.

The Upshot

Data protection legislation is changing regardless of the outcome of the referendum and British businesses need to be prepared for these changes. Until the UK finalises its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across European borders. However, business does not have to come to standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices and data centres to continue to process and transfer data in Europe in a compliant and cost-effective manner. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.

About Lauren Grest

More Posts (35)

Brexit: Our position

by Lauren Grest on June 24, 2016 in Legal Developments, News with No comments

Although the results of the referendum are clear, the full impact of Brexit on data transfers in litigation and investigations is dependent on whether or not Britain becomes part of the European Economic Area (EEA) or the European Free Trade Association.

If the UK becomes part of the EEA and the EU finds the UK’s data protection safeguards to be appropriate this would make transferring data outside of the UK easier. However, it is likely that businesses will still have to comply with the new requirements to be implemented under the forthcoming General Data Protection Regulation, when transferring data across borders to comply with legal obligations in other countries. Both legal mechanisms and technology solutions are relied upon in these situations to safeguard the personal data of European citizens.

If Britain does not become part of the EEA, the situation is more complicated and it is likely that an arrangement similar to the EU-US Privacy Shield would need to be agreed. This will provide a safe passage for the transfer of data between the UK and other countries in Europe

Until the UK finalises its data protection regime and comes to an agreement with the EU companies need to think carefully about the risks of transferring data across European borders. Business does not have to come to a standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices to continue processing and transferring data in Europe in a compliant and cost-effective manner. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.

About Lauren Grest

More Posts (35)

Kroll Ontrack’s Canine Forensics Team: Sniffing out the evidence and cutting costs

by Lauren Grest on April 1, 2016 in Best Practice & Top Tips, Legal Developments with No comments

Kroll Ontrack is pleased to announce our latest weapon against data theft; our Canine Data Defenders. This new service, believed to be the first of its kind in the UK, will enable clients to reduce initial data forensics costs and speed up computer forensics investigations.

How does it work?

A dog’s sense of smell is unbelievably powerful, between 10,000 and 100,000 times as acute as humans, depending on the breed. A useful way of imagining this is to think of the difference in terms of vision; if a human can see an object one third of a mile away, a dog can see the same object 3,000 miles away. It is because of this ability that the dog’s sense of smell has long been utilised in the medical, military and law enforcement fields to detect cancer cells, explosives and drugs.

What do Kroll Ontrack’s dogs look for?

The human endocrine system is extremely complex and to a trained nose, compounds found in sweat can reveal much about the human in question’s behaviour and mental state. Someone using a device for illegal activity, for example, is likely to release a greater amount of stress hormone into their sweat which in turn is transferred onto the device via touch. Kroll Ontrack’s canine team has been trained to pick up on these scents and lead handlers to devices that have been used for nefarious purposes. The process is simple and a team of two dogs can check 100 devices within an hour, which is a marked improvement on a human team handling and scanning each device.

After a successful pilot study, the Canine Data Defenders will be available to clients from 31^st June 2016.

Kroll Ontrack Head of Computer Forensics , John Perro, commented “This is not about substituting human knowledge but about saving our clients’ time and money. Our dogs can pinpoint a machine used for suspect activity within seconds, allowing our human team to get straight into a type 2 data analysis. We can also see applications in internal compliance investigations. A quick sweep of an office using our dogs will provide compliance officers with a quick and accurate spot check of the company’s activities.”

A second team of dogs is currently in the final stage of training to provide early-evidence services for our ediscovery team, further cementing the role of dogs at Kroll Ontrack.

About Lauren Grest

More Posts (35)

How can banks reduce litigation and investigation-related legal costs?

by Lauren Grest on March 15, 2016 in Best Practice & Top Tips, events, Legal Developments with No comments

Last week over 50 corporate in-house counsel and lawyers working in the financial sector gathered in the rather glamorous surroundings of the Banking Hall to join Kroll Ontrack for our breakfast seminar, ‘Banks or Law Firms: Who holds the purse strings’

After a delicious breakfast, our illustrious panel tackled the complex and often, controversial topic of managing legal costs for banking-related investigations and litigations. The key themes up for debate were:

How recent ‘big ticket’ regulatory investigations have affected the banking world
Using the latest predictive coding technology to reduce legal costs
Leveraging corporate buying power when using law firms and other professional service providers
Discussing alternative pricing structures
Examining the pros and cons of unbundling legal services

The debate was moderated by Ben Fielding of Kroll Ontrack and our speakers included Elizabeth Meekison a Senior Lawyer in Commercial Litigation atLloyds Banking Group, Mark Humphries – Senior Partner at Humphries Kerstetter, Thomas Leyland, Partner at Dentons and, Orion Wisness, Discovery Consultant at Kroll Ontrack. With representation from in-house counsel from banks, senior partners from top law firms and a technology provider, each brought their own experiences and opinions to what was an eloquent, wide-ranging, and informative discussion.

The key points that emerged were:

Priorities for banks:

Banks value accuracy, defensibility of process and not necessarily lower costs when it comes to ediscovery
Working collaboratively with law firms and technology providers and ensuring regular and effective communication

The benefits of proactivity:

The importance of involving an ediscovery provider from the beginning of the disclosure process or investigation.
How implementing information governance strategies and managing the quantity and location of your data can reduce costs.
How fixed fee modelling could be implemented (and why this might not be a possibility in certain cases.)

Legislative concerns:

Are the standard disclosure rules too broad?
In light of spiralling data volumes, should the disclosure rules be modified so they are closer to the arbitration model?

The importance of predictive coding technology

With the recent judgement (Pyrrho Investments v MWB Property [2016] EWHC 256 (Ch)) approving the use of predictive coding still hot news, much of the debate and audience’s questions were focused on:

How technology such as predictive coding can be used to reduce the burden of big data in litigation and investigations
The implications of the recent judgement approving use of predictive coding technology in the UK
The need for both corporations and law firms to fully understand exactly what predictive coding entails in terms of both its capabilities and its limitations

We would like to thank speakers for taking the time out of their busy schedules to take part in the debate and share their expertise. We’d also like to thank our guests for joining us and further enlivening the discussion with their considered questions.

About Lauren Grest

More Posts (35)

UK High Court approves use of Predictive Coding in litigation

by Lauren Grest on February 25, 2016 in Legal Developments with No comments

Last week legal technology providers in the UK had a lot to celebrate as the English High Court approved the use of predictive coding for disclosure in litigation.

The judgement, handed down by Master Matthews, gave official judicial authorisation for the use of predictive coding in High Court proceedings. Summing up his decision, Master Matthews stated that predictive coding is just as accurate, if not more so than a manual review using keyword searches. He also estimated that predictive coding would offer significant cost savings in this particular case and that the possible disclosure of over 3 million documents done via traditional manual review would be disproportionate and ‘unreasonable’.

To read the judgement in full, please click here.

How does predictive coding work?

Predictive coding is an advanced machine-learning technology which allows computers to predict how documents should be coded (i.e., should a document be tagged ‘responsive’ or ‘privileged’) based on decisions made by human subject matter experts. Put simply, an experienced lawyer trains the computer by coding a sample set of documents, and the computer then learns what to look for based on this training. In the context of edisclosure and other investigative exercises involving electronic evidence, this technology can find key documents faster and with fewer human reviewers, thereby saving on cost and review time.

Who uses predictive coding?

Other jurisdictions, such as the USA and Ireland, have led the way in giving judicial approval to predictive coding, and the UK judgement references these cases in detail. Despite these cases as well as the ever-increasing sophistication of the technology itself, the UK law community has been somewhat reluctant to make use of the technology, as explored in this study by Kroll Ontrack Legal Consultant and former litigation lawyer, Hitesh Chowdhry.

In Chowdhry’s white paper, ‘Rage Against the Machine; Attitudes to Predictive Coding Amongst UK Lawyers’, he notes that his study revealed that the main barriers to adopting predictive coding technology were:

Risk aversion and mistrust of the technology’s accuracy
Belief that predictive coding would have a negative effect on revenue
Satisfaction with existing methods and a belief that existing practices offered more accuracy than studies have suggested
Insufficient understanding and knowledge of the complex predictive coding process
Diffusion amongst professionals

The UK judgement counters much of the fears uncovered in Chowdhry’s study by stating that the technology is accurate and offers cost savings.

Predictive coding and the Civil Procedure Rules

As data volumes continue to grow and traditional manual reviews using keyword searches become less feasible, predictive coding may be the best path toward complying with the Civil Procedure Rules.

Jeff Shapiro, a lawyer who has written frequently on costs in edisclosure, offered this comment: “The judgementapproving predictive coding for the disclosure of documents highlights the judiciary’s continued march to proportionate costs in litigation via application of the overriding objective. Review amounts to approximately 70% of total disclosure costs. With the ubiquity of electronic document creation and storage, litigators have an ever-increasing costs’ burden in order to fulfil their CPR disclosure obligations. The judiciary, recognising the realities of modern disclosure where millions upon millions of documents may need ‘to be considered for relevance and possible disclosure’, has proclaimed that predictive coding may be used as a substitute for manual review.”

The cost savings offered by predictive coding will undoubtedly be popular with clients and potentially will give a competitive edge in winning work.

We hope that this judgement will encourage more UK firms to take advantage of the benefits offered by predictive coding.

For more information about this technology, please click here.

About Lauren Grest

More Posts (35)

No more EU-US Safe Harbor. What are the implications for citizens and businesses?

by Thomas Cavro Dupont on November 16, 2015 in Legal Developments with No comments

Introduction

On 6th October 2015, the Court of Justice of the European Union declared in the case Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) that the “Safe Harbor Agreement” between the EU and the US is invalid.

Until now, the so called “Safe Harbor Agreement” was an agreement signed in 2000 between the US Department of Commerce and the European Union that allowed US-based companies to transfer data from EU to the US and to thus comply with the EU Data Protection Directive of 1995. In 2000, the European Commission had declared that the US provides for adequate safeguards for data protection. The “Safe Harbor Agreement” consisted of data protection principles to which to which US undertakings may subscribe voluntarily. Up to date, 4400 companies transferred data to the US under the “Safe Harbor Agreement”.

The online version of the Court judgment is available online here and the press release of the Court of Justice concerning this case is available here.

What is the background of the case?

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by US public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2002 the European Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the Data Protection Commissioner before the Irish High Court. The Court decided to stay the proceedings and to refer questions to the European Court of Justice for a preliminary ruling.

The European Court of Justice ruled that the so-called “Safe Harbor Agreement” was invalid because it allowed US government authorities to gain routine access to Europeans’ online information. The court also explained leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

What are the next steps following this judgment?

The Court of Justice ruling is effective immediately and declares the current “Safe Harbor Agreement” invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the EU Data Protection Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

What are the practical implications of this judgment for US-based companies who used to transfer personal data from EU citizens to the US under the “Safe Harbor Agreement”?

As we know, the recent Court of Justice judgment declared the “Safe Harbor Agreement” invalid. This means, under a strict interpretation, data transfers concerning personal data from EU citizens to the US cannot rely on the “Safe Harbor” anymore since it has been declared invalid.

Nevertheless, US-based companies should still be able to transfer data from EU citizens to the US by using alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations. Standard contractual clauses are model clauses that have been issued by the European Commission and are designed to facilitate transfers of personal data from the European Economic Area (EEA) to third countries that are not designated to be ”adequate” for the processing of personal data by the European Commission. The model clauses provide sufficient safeguards for the protection of the privacy of individuals.

“BCR” are internal rules such as a Code of Conduct adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. To that extent, “BCR” ensure that all transfers are made within a group benefit from an adequate level of protection. Once approved under the EU cooperation procedure, “BCR” provide a sufficient level of protection to companies to obtain authorisation of transfers by national data protection authorities. It should be noted that the “BCR” do not provide a basis for transfers made outside the company group.

As to derogations, the EU Data protection rules include derogations under which personal data can be legitimately transferred to the US on the basis inter alia of[1]:

performance of a contract [e.g. If you book a hotel in the U.S., my personal data are transferred there in order to fulfil the contract];
Important public interest grounds [e.g. cooperation between authorities in the fight against fraud, cartels, etc.];
The vital interest of the data subject [e.g. it means in urgent life or death situations, personal data such as medical records can be transferred internationally in the person’s own interest];
Or if there is no other ground, the free and informed consent of the individual;

From a pragmatic standpoint, although there is no official “grace period” following the invalidity of the Safe Harbor, US-based companies that transfer personal data from EU citizens to the US cannot be expected to cease such transfers immediately since this would affect numerous business operations.

Frans Timmermans, the First Vice-President for the European Commission, who will be charged with carrying out the ruling, and Vera Jourová, EU Commissioner, tried to ease the concerns of companies. Their official press release is available here. They said businesses could still move European personal data to the United States through other mechanisms including standard contractual clauses, binding corporate rules (“BCR”) and derogations.

How will this judgment affect the ongoing discussions concerning the new Safe Harbor Agreement, the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector?

Frans Timmermans, the First Vice-President for the European Commission and Vera Jourová, EU Commissioner, explained that the European Commission has been in discussions with the US over the past two years to revise the existing Safe Harbor. Negotiations are still ongoing but the aim is “to step up discussions with the US towards a renewed and safe framework for the transfer of personal data across the Atlantic”.

As to the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector, they explained that both are well on track and will most likely be finalised this year. The Data Protection Reform which will see the passing of a new EU Regulation to replace the Data Protection Directive aims amongst other things to strengthen the powers of national data protection authorities, which have an essential role in upholding individuals’ rights to data protection. In their view, this is fully in line with the recent Schrems’ ruling.

The EU-US Umbrella agreement differs from the Safe Harbor. It does not itself enable data transfers. Rather, it sets high data protection standards in the area of police and criminal justice cooperation. They explain that the Umbrella agreement will improve the protection of personal data of Europeans in the U.S. as it will make sure that citizens will have recourse to judicial redress possibilities in the U.S. in case of privacy breaches, once the US Congress has adopted the respective draft Bill.

Finally, Mr. Timmermans and Ms. Jourová explained that the European Commission would work with national data protection authorities to ensure that the court’s decision (Schrems’ recent judgment) is carried out in a uniform fashion across the European Union. They concluded saying “As citizens need robust safeguards and businesses need legal certainty; the guidance should help avoid a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike”.

What should companies do while the current legal situation is being clarified?

While the new Safe Harbor Agreement is being discussed between the EU and the US and the EU Data Protection Reform is finalised, companies that used to transfer personal data from the EU to the US under the Safe Harbor Agreement should now use alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations described above. We also suggest that companies seek guidance and approval from the respective national data protection authorities in the countries in which they have business operations.

In addition, if companies, for example, are in litigation in the EU that requires the services of an ediscovery provider or at least they need to process and host EU citizen’s personal data, we recommend that they opt for in-country solutions within the EU so as to comply with EU data protection regulations. In practice, this means for example, that if a German company has to collect data from their employees based in several locations in Germany with the assistance of an ediscovery provider, that data should be processed and hosted in a German data centre so as to comply with strict German and EU data protection regulations. The data should thus not leave the German borders. In our view, the Schrems’ recent judgment reinforces the need to use local solutions so that when data is processed and hosted to carry out electronic searches, data remains within the respective countries of the custodians concerned and above all remains within the EU. If data from the European custodians does have to leave the European Union and needs to be transferred to the US then it will have to be within the framework of the alternative mechanisms described above.

[1] For further derogations please refer to Article 26 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

Thanks Archana! Hope to see you soon :) https://t.co/O4RZo9AAUd
- Tuesday Aug 15 - 4:31pm

We are delighted to have made the @inc5000 of fastest growing private companies again! Proof that team work is the key to growth.
- Tuesday Aug 15 - 2:09pm

RT @sschnettler: Are There Better Ways to Destroy Smart Phone Data Than With a Hammer? https://t.co/4gw1RaiWoi https://t.co/iMVS5Tdlbh
- Wednesday Aug 9 - 2:25pm

RT @TheLawSociety: Brushing up on legal ethics? Let Ethical Ethel and her interactive dilemmas help you out https://t.co/tBTBqJ4qMZ https:/…
- Wednesday Aug 9 - 2:24pm

How do ediscovery tools tackle East Asian languages? Kate Chan our APAC Regional MD discusses @Legaltech_news… https://t.co/p6Vhwg2Fwp
- Thursday Aug 3 - 9:35am

All posts in Legal Developments

An overview of Sapin II

SAPIN II: THE KEY TO CLOSING LOOPHOLES IN FRANCE