chevron-down Created with Sketch Beta.
July 20, 2016 Articles

Data Breach Litigation Across the Atlantic

Requirements and guidelines on either side of the ocean create competing rules and policies.

By Steven Rubin and Stephen Milne

Compared with the rest of the world, the United States has historically had a more open framework for dealing with information. Social media have made even the most mundane and possibly personal pieces of data available to many with a press of a finger. Such an open relinquishment of private information is almost assumed and has become part of the American culture. Those who think about how easy it is to access data understand how their own data have become part of the searchable cyberspace.

In litigation, U.S. laws have typically been more about sharing—even erring on the side of being over inclusive. We look to “discover” all relevant information so that there are no surprises at trial. Evolutions in litigation and discovery practice approaches have emphasized simplifying the search for, and disclosure of, information and reducing costs in that search, but not necessarily limiting the release of the data. While protective orders have historically provided a certain level of limitation to data disclosure, the protection of data and personal privacy information have not historically been given the same level of emphasis in the United States.

When it comes to data protection, Europe is different, and the differences in the data privacy laws also reflect a difference in culture. In Europe, privacy rights are assumed, information confidentiality is maintained, and the U.S. concept of “discovery” is scorned. There is a concern that European sensitive data should stay outside the United States because the protection of such data in the United States is not sufficiently strong.

It is therefore not a surprise that the U.S. and European laws are inconsistent when it comes to cybersecurity. Preparing for and handling litigation in multiple countries has become extraordinarily complex. How is one to run one’s business and comply with the myriad of cybersecurity-related requirements worldwide?

Cybersecurity Law in the United States
The most significant piece of federal legislation in this area is the Cybersecurity Information Sharing Act (CISA), passed in December of 2015. The purpose of this act is, purportedly, to promote information sharing between the government and the private sector for issues relating to cybersecurity and new threat vectors. The idea is that sometimes industry is aware of new viruses or technical threats and industry does not share the information with the government so that the government may protect itself or inform the public, or both. CISA creates a voluntary means for companies to share their threat data with the government.

There are problems in the United States with sharing this information. While the act of sharing appears to be protected by statute, the underlying problem may not be. For example, if I see a threat to my system, I could tell the government of that threat and the act of telling would not create a new cause of action. But the law is not clear as to whether that sharing could then lead to a discovery request that would inquire about facts leading to a law suit relating to the cause of the sharing. Stated another way, I can tell the government I have a virus, and telling the government should not itself expose my company to liability. But I could later get sued for failing to comply with certain cybersecurity requirements because my system was infected with a virus and I did not take proper steps to protect the data.

So, trying to comply with U.S. laws alone creates a dilemma. But if you consider complying with CISA or a discovery request in the United States, you may also expose yourself to legal issues in Europe.

Cybersecurity Laws in Europe
If a U.S. discovery request seeks information relating to European Union (EU) nationals that involves the disclosure of personal data (broadly, data capable of being used to identify a living person either on their own or in conjunction with other data in the possession of the person controlling how the data are used), there are serious potential issues to evaluate now in light of recent developments overseas. Before January 2016, many organizations relied on the approved “safe harbor” regime developed by the U.S. Department of Commerce and the European Commission under which organizations could self-certify that they adhered to its principles. This essentially meant that the certifying company gave binding promises to the Department of Commerce and the public that the organization complied with privacy policy requirements and provided sufficiently high protections for personal data that transfers of personal data from the EU to the United States would be permissible under applicable legislation in the EU (in particular the Data Protection Directive).

However, the safe harbor regime has suffered a huge blow by virtue of a recent decision in the Court of Justice of the European Union (CJEU), which ruled that the European Commission’s decision to approve the regime was invalid: Maximillian Schrems v. Data Protection Commissioner, No. C-362/14 (E.C.J. 2014).

The Schrems case. This case involved Maximillian Schrems, an Austrian citizen who had been a Facebook user since 2008. Facebook habitually transferred some or all of the data provided by its EU-based subscribers from its Irish subsidiary to servers located in the United States. Schrems lodged a complaint with the Irish Data Protection Commissioner (the relevant supervisory authority in Ireland) on the basis that the law and practice in the United States did not provide sufficient protection of his data against surveillance by the public authorities.

Initially, Schrems’s complaint was rejected, particularly on the basis that the safe harbor regime ensured sufficient protection. However, on referral to the CJEU, that court held that the powers available to national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Data Protection Directive cannot be eliminated or even reduced just because the European Commission originally decided that the safe harbor scheme provided such protection. The authority must look at the situation independently and determine whether the transfer of a person’s data to a third country complies with the requirements of the directive.

The CJEU then proceeded to consider the fact that public authorities in the United States are not subject to the safe harbor scheme. Further, national security, law enforcement, and public interest all may prevail to the extent that a U.S. entity holding or processing data may be forced to ignore the requirements of the safe harbor scheme where it conflicts with any of the foregoing—such as in responding to a court-ordered discovery request. As a result, data would not be protected in such circumstances, and there were no clear limitations or restrictions on the public authorities’ abilities that could serve to support the notion of there being adequate protection.

In addition, there was no clear ability for individuals to pursue legal remedies to access their data or to have it rectified or erased, which the CJEU viewed as inherent in the existence of the rule of law and as compromising “the essence of the fundamental right to effective judicial protection.”

For the above reasons, as well as a couple of others concerning limiting national supervisory authorities’ powers, the CJEU therefore held that the original European Commission decision that safe harbor privacy principles provided adequate protection was invalid—effectively nullifying the safe harbor option.

What Now?
There is clear guidance that the safe harbor route is no longer a valid basis on which personal data can be transferred from the European Union to the United States. But there is not yet clear guidance as to what will be a properly valid route to effect such a transfer. Indeed, different data protection authorities have been taking different approaches to this evolving situation.

For example, the Information Commissioner’s Office (ICO)—the supervisory data protection authority for the United Kingdom—has been issuing guidance trying to keep everyone calm. The ICO has been advocating that continued use of the safe harbor principles may (and the emphasis, unfortunately, is very definitely “may”) still be a sensible proposition in the interim. The ICO further indicated it will not take enforcement procedures yet, until an approved alternative to the safe harbor has been determined.

However, this guidance is not legally binding, and the ICO is keen to reiterate that companies need to review their compliance processes and procedures and satisfy themselves as to the practical protections that are in place and that are being (or could be) operated.

This approach has been somewhat reflected in guidance from the Spanish regulator, which has indicated that it will not rush to take enforcement action against companies, provided they are working on appropriate proposals and arrangements to ensure adequate protection of personal data.

However, in stark contrast, the data protection authority in Hamburg, Germany, has already made it public that it does not expect organizations to continue relying on the safe harbor and that it will institute immediate enforcement proceedings against any that do continue to transfer personal data outside the EU in this way. Such proceedings could lead to fines of up to 300,000 euros (roughly US$340,000) per data breach.

Some Proposed European Solutions
The Article 29 Working Party (which is made up of representatives from the data protection authorities of the EU states) recently confirmed that it views the use of binding corporate rules and model contract clauses as valid options to enable the transfer of data from the EU to the United States.

Binding corporate rules are essentially rules implemented by an organization that put in place adequate safeguards for protecting personal data throughout the organization and in line with the Article 29 Working Party’s requirements. Unfortunately, they are not a quick fix to the current situation if they are not already in place. Rules require an application to, and approval from, the relevant data protection authority via a relatively cumbersome design and implementation procedure, which usually takes in the region of 12–18 months.

Model contract clauses are, on the other hand, considerably easier to implement as long as both parties are in agreement. These provide for an approved set of contractual obligations that, if adopted into relevant contracts in their entirety, eliminate the requirement for the transferee of data to make its own assessment regarding the adequacy of the protections provided. There are different sets of clauses depending on whether the contract is between two data controllers (i.e., two entities that determine how and for what purpose data are processed) or a controller and a data processor (which simply processes on behalf of the controller).

A further possibility is to obtain express consent to the transfer of the data. However, even the more relaxed data protection authorities are closely scrutinizing this route to effecting transfers. The key concern is whether consent is specific enough in addressing the purpose for obtaining the data and whether it provides any real protection to the individual in any event.

In recent months several high-profile examples have involved data harvested from individuals on the back of a generic data consent, where those data are then retransferred, reused, and resold multiple times. In each of these cases, the concern is whether the individual who gave “consent” could have possibly anticipated these downstream transfers and uses. For that reason, while consent is crucial and should be verified clearly, binding corporate rules and model contract clauses are the current preferred alternatives to the safe harbor.

Privacy Shield
The European Commission and the U.S. Department of Commerce have agreed upon a new arrangement—known as the “Privacy Shield”—as a replacement for the now defunct safe harbor scheme. The Privacy Shield is in fact a collection of principles relating to the protection of data and recourse for individuals.

Privacy Shield is still a little way off, however. Implementation was set for June 2016, but there are still a number of criticisms leveled at it by both politicians and commentators (for example, U.S. laws on surveillance intelligence collection may be in conflict with the Privacy Shield), and implementation will likely be delayed.

In addition, the General Data Protection Regulations are upcoming (albeit implementation is likely to be a little way off—likely April 2018), and these will bolster both the European Union’s data protection authorities’ powers (including the ability to impose fines of as much as 4 percent of global turnover in cases of breaches of data subjects’ rights) and their likelihood to crack down on enforcement.

How Will This Affect Litigation in the United States?
In the context of litigation, the competing U.S. and European policies and rules raise a myriad of issues. First, where discovery is being sought, a party may seek to justify refusal of full discovery or to otherwise restrict discovery in relation to anything that may require transfer of personal data out of the EU. Organizations therefore need to be ready to offer up data transfer contracts based on the model contract clauses, in the first instance, to try to reduce the scope for such denial of data. Even then, this may not suffice if the data are in very sensitive jurisdictions where the relevant data protection authority is taking a hard line. Conversely, it may be quite difficult for a party avoiding a discovery request to convince a judge that the party cannot produce its own information for fear of adverse consequences in Europe. We envision that U.S. judges will not be inclined to limit discovery in such circumstances.

A second issue is that if a party simply accedes to the discovery request and transfers data, the recipient organization needs to be mindful of the fact that the disclosing organization may not have necessary permissions to enable lawful transfer of the data. Thus, the recipient of the discovery documents needs to ensure appropriate protections are in place for the data; otherwise, it runs the risk of claims against it by the data subjects, foreign data protection authorities, or both. Every organization will therefore need to ensure that its own compliance procedures and protections are in place but will also need to conduct a risk assessment of what it receives, based on where the transfer is from, what is actually transferred, and whether it is clear (or not) that the disclosing counterparty is entitled to make such disclosure.

A third issue relates to forum shopping and standing. Will a U.S. plaintiff be able to maintain an action while seeking to avoid producing documents for fear of European reprisal? Could a plaintiff seeking to comply with European law, by limiting discovery of documents, be hurting its ability to maintain standing here in the United States? Would such a consequence affect the forum where the plaintiff may seek to bring its action?

Cybersecurity litigation across borders is therefore a fast-evolving situation where data protection issues need to be verified by every organization as a matter of urgency. Each organization needs to review its current compliance arrangements and reevaluate on the basis of the above issues, identifying applicable jurisdictions and prioritizing appropriate strategies for the short, medium, and long term, to avoid falling foul of the more aggressive data protection authorities and their willingness to impose potentially sizable fines.

Keywords: litigation, corporate counsel, data transfer, European Union, safe harbor, Private Shield

Steven Rubin is a partner at Moritt Hock & Hamroff LLP in New York City, New York. Stephen Milne is a consultant at Memery Crystal LLP in London.