Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018.  This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRThe GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.

Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data.  The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.

Transfers Within the EU and Adequacy Rulings

Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.

Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.

Appropriate Safeguards

In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).

Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.

Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.

Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield.  The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.


In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.

Guidance for GDPR Compliance

Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight.  Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.

To comply with the GDPR, companies should first identify and map all cross-border data flows.  Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate.  If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)With the European’s Union’s new General Data Protection Regulation (or GDPR) taking effect in less than 100 days, the interest of many U.S. Companies has been piqued as to how the GDPR may affect their overseas and internet-based businesses.  This article on, “Why GDPR Matters,” which I co-authored with Bill Shipp from Vaxient, LLC and Jonathan Marks, CPA from Marcum, LLP, tackles this hot issue and answers why GDPR should matter to U.S. companies in a wide variety of industries.

To assist U.S.-based companies in determining how GDPR may affect their business, Fox Rothschild has also developed a GDPR mobile app called “GDPR Check” (details and download information here).  The app is designed to help companies determine which areas of their business (if any) may require GDPR compliance.

If you have any questions about how GDPR may affect your company, we encourage you to consult a knowledgeable attorney and experienced professionals.

Last year saw multiple high-profile data breaches, enough to place cybersecurity atop any in-house attorney’s 2018 priority list.

But the threat posed by hackers isn’t the only cyber concern on the minds of in-house counsel this year, reports Corporate Counsel magazine.

In the regulatory realm, complying with the European Union’s General Data Protection Regulation, which takes effect in May,  is expected to be companies’ top data privacy task of 2018. But it’s not the only one. The Chinese government also plans to impose new, below-the-radar data privacy regs that will make companies jump through another set of legal hoops.

The legal implications of new technologies, such as fitness devices that blur the line between medical and personal data collection, are also expected to challenge corporate counsel. And groundbreaking legal cases could change the law regarding who has standing to sue following a data breach in the U.S. and whether companies can use standard contractual clauses to transfer personal data out of Europe.

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.

An executive order signed by President Trump last week potentially put the six-month old Privacy Shield in jeopardy. Although targeting mostly immigration and border patrol, the EO, titled “Enhancing Public Safety in the Interior of the United States,” also eliminates privacy protection for foreigners.

The White House, Washington, D.C.Section 14 of the Executive Order reads:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The potential consequences of this should be obvious. Excluding non-U.S. citizens or residents from the protections of the Privacy Act could effectively destroy the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens. This could lead leading to the invalidation of the Privacy Shield Agreement outright.

In a statement, the European Commission supported the Privacy Shield and downplayed the impact of Trump’s EO. “The U.S. Privacy Act has never offered data protection rights to Europeans,” a spokeswoman for the EC said. This suggests that the EC is taking the position that the Privacy Shield is not contingent on the Privacy Act, which covers only data held by U.S. agencies, and not by private companies.

But others in Europe are less sanguine. European Parliament Member Jan Philipp Albrecht said he fears the EO will undermine the Privacy Shield, tweeting: “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-U.S. umbrella agreement.”

Albrecht’s opinion may better reflect the stance of European regulators. Comparing the EO against the Judicial Redress Act, for example, reveals that the Privacy Shield and the Umbrella Agreement between the U.S. and EU – which governs information sharing by law enforcement across the Atlantic – both remain intact.

Still, it seems impossible to think that the EO and other protectionist policies announced by the Trump Administration will not jeopardize the Privacy Shield which is enforced by the Department of State and the FTC, agencies under Trump’s control. If Trump directs them not to prosecute privacy violations, or if enforcement is reduced, the Privacy Shield is unlikely to survive in the long-term. One critical component of the Privacy Shield framework, after Safe Harbor’s invalidation, was increased U.S. enforcement of EU privacy rights. That agreement must contain a recognition by the U.S. of the right of Europeans to bring enforcement actions in the U.S. against companies that might not otherwise be reachable in the EU.

Worth remembering, too, is that that the Privacy Shield Agreement must be renewed annually by the U.S. Department of Commerce and the European Commission. A deal that was founded upon U.S. enforcement is unlikely to win renewal by the European Commission if Trump has directed his executive branch not to enforce non-citizen privacy rights.

The question may in the end turn on the FTC and whether it enforces both privacy violations generally, and the Privacy Shield specifically. U.S.-EU diplomacy in other areas may also bleed over into the Privacy Shield debate.

So far, more than 1,500 companies have self-certified under the Privacy Shield, which was approved in July 2016. Self-certifications began in August 2016 in the wake of the invalidation of the Safe Harbor agreement. U.S. companies certified under the Privacy Shield should closely monitor the situation. One smart strategic option is adoption of Model Contract Clauses as a “belt and suspenders” approach to compliance.

The clock is ticking toward the May 2018 implementation of the EU’s General Data Protection Regulation (GDPR) and, according to PwC’s recently released Pulse Survey, U.S. companies are now investing significantly in compliance measures. Per the survey, 92% of respondents consider GDPR a “top priority” for 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.

Illustration of binary code rippling out from the European Union flag, in relation to GDPR“No legislation rivals the potential global impact of the EU’s General Data Protection Regulation,” said Jay Cline, PwC’s U.S. Privacy Leader. “The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for U.S. companies that offer goods and services to EU citizens.”

In December, prominent GDPR analyst Chiara Rustici advised businesses “to ring fence 4 percent of 2016 global turnover and earmark it as budget for 2017 compliance.” (Because of its proximity to the release of the EU Article 29 Working Party’s own GDPR guidance, which clarified certain key enforcement issues for member states, Rustici’s budget advice was unable to fully account for the new information.)

“American multinationals that have not taken significant steps to prepare for GDPR are already behind their peers,” Cline also said. This statement echoes Rustici’s advice in 2016, in which she stated that “there are no excuses for not having a GDPR budget in place before the end of 2016.” Though more than a year remains for companies to achieve compliance, and further guidance is expected from EU data protection regulators, PwC cautioned that companies should not wait to make it a priority.

For organizations wondering where to start, here are perhaps the most important steps they should take.

Need for Data Portability and Data Mapping

In its December guidance, the Article 29 addressed a major issue that companies will need to develop infrastructure and processes to address. Namely, it discussed data portability – the ability for an EU citizen to access their personal data and easily transfer it to a different service provider. Closely tied into this concept are two central rights within GDPR: the Access Principle, whereby a user can discover what personal data of theirs a company holds, and the “right to be forgotten,” whereby a user can request the deletion of that data. To turn these concepts into reality, Article 30 of GDPR practically obligates companies to create comprehensive data maps to easily discern what data the company possesses, where it is stored, how it flows, with whom it is shared, and how it is used.

The guidance also indicated the need for companies to develop systems, technological or otherwise, to respond to individual requests under the data portability provision. According to the Working Party, “one of the ways in which a data controller can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API). This would enable individuals to make requests for their personal data via their own or third-party software or grant permission for others to so do on their behalf.” Regardless of process, fulfilling the data portability and data mapping requirements represent no small IT investment for affected companies.


GDPR applies to companies as a whole, and for budgeting purposes, leaders should also take the regulation into account across the full enterprise, as opposed to merely in the legal, compliance and IT areas. “[T]he budget is there to ensure that any interaction of EU-based individuals with a brand’s real and digital estate follows the EU data protection principles,” noted Rustici, and “that will mean product design, user experience, distribution and after sales support, HR, marketing, legal, risk and compliance, storage and security should all own a share of the corporate GDPR budget.”

A good GDPR budget may allocate money to some or all of the following line items:

  • data inventory and mapping
  • privacy and state-of-the-art safety by design
  • solutions to enable data portability and the right to be forgotten
  • internal GDPR training
  • stress-testing GDPR resilience, information security, and audit
  • enterprise-wide coordination and compliance
  • vendor management
  • hiring of a GDPR architect, CISO, and/or DPO

Hire a Data Protection Officer

Relevant to the last line item above, GDPR requires companies that process personal data “as a core activity” and/or monitor data subjects “on a large scale” to hire a Data Protection Officer (DPO). This role acts to independently oversee corporate compliance. In its 2016 Guidance, however, the Article 29 Working Party went so far as to recommend voluntary designation of a DPO when GDPR does not specifically require it.

The guidance also indicated that the terms “large scale” and “core activity” as they pertain to the DPO requirement will also be broadly interpreted. Regulators will consider a number of factors including the volume of data, its geographic breadth, and its importance to a company’s operations. The Article 29 Working Party clarified this point by way of example: “the core activity of a hospital is to provide health care. However, a hospital could not provide health care safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs.” Following this example, organizations operating in highly regulated industries, such as healthcare, financial services, insurance and consumer businesses, should anticipate the need to hire a DPO.

A GDPR architect – a CTO, CISO, CIO, data privacy lawyer, compliance officer, or all of the above – may also be required however. As Rustici warned, “Think of a DPO as a ship’s captain and of a GDPR architect as the naval engineer. [T]o set sail to the seas you rely on a good captain, who can chart a course and avoid thirty-foot waves; but to build or make a ship sea-worthy, and ensure that it can withstand even thirty-foot waves, you first rely on a good naval engineer.”

Other Initiatives

Ensuring data portability and enabling data mapping, budgeting across the organization for GDPR, and designating the DPO and other important roles are only three of the most prominent steps U.S. multinationals are taking in the new year. Other top priorities could include reviewing and revamping privacy policies, examining procedures to ensure consent for collecting/processing personal data, and improving vendor management programs. Many organizations are also considering data localization, including moving data centers to Europe, while others are assessing the viability of transitioning operations out of Europe altogether.


On Wednesday, the United States and Switzerland struck a new “Privacy Shield” agreement that mirrors the U.S.-EU Privacy Shield framework. It will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements.

Pixelated shield icon on digital background,, illustrating security or EU-U.S. Privacy Shield conceptThe deal replaces an existing safe harbor agreement, which has been in question since the Schrems decision was issued in October of 2015. Companies with Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12. The 90-day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail.

Ken Hyatt, the acting Under Secretary of Commerce for International Trade, praised the accord, saying it “will enhance transatlantic data protection and support the continued growth of U.S.-Swiss commercial ties, which included two-way direct investment totaling more than $410 billion in 2015.”

And Swiss officials echoed the sentiment, highlighting that the deal aligns with the U.S.-EU Privacy Shield framework, and imposes stronger obligations on U.S. companies to protect the personal data of Europeans. Like the U.S.-EU framework, this new deal also requires more stringent monitoring and enforcement by the Department of Commerce and the Federal Trade Commission.

Last October, the European Court of Justice invalidated Safe Harbor, throwing a legal wrench into the transatlantic data transfer machinery of thousands of EU and U.S. companies. On Tuesday, the European Commission (EC) provided relief from the digital limbo that has ensued by formally approving and adopting the new Privacy Shield pact, a week after EU member states provided their own seal of approval. The agreement paves the way for new certification and the resumption of EU-U.S. data transfers for commercial purposes.

Data privacy and security

Privacy Shield was designed and negotiated to ensure an adequate level of protection for the personal data of EU individuals upon and after transfer from the EU to the U.S. Though the EC’s decision takes immediate effect, domestically the framework will first be published in the Federal Register, and companies will be able to self-certify Privacy Shield compliance to the U.S. Department of Commerce beginning August 1.

While the initial draft of the agreement was met with significant pushback in Europe, negotiators have since strengthened the independence and authority of the U.S. ombudsman, clarified what constitutes proper “bulk” data collection (and how it differs from mass surveillance), and added detail to the requirements for corporations. Among these is an obligation to delete personal data that is no longer necessary for processing purposes. Such changes cleared the way for EU member state and EC approval.

Despite the fanfare, the deal has not received universal acclaim. Max Schrems, the Austrian law student whose lawsuit ultimately led to the invalidation of Safe Harbor, has already threatened a new legal challenge. Indeed, the new framework may turn out to be only a short-term solution. If the European Court of Justice eventually considers a challenge to the agreement, there is no guarantee that it will survive. The ECJ could very well find that Privacy Shield contains the same adequacy failings as it found within Safe Harbor – a decision that was based more on U.S. surveillance programs than any business compliance failures.

Nonetheless, Privacy Shield now provides a third option for businesses’ data transfer compliance, alongside binding corporate rules (BCRs) and model contract clauses. The latter two options tend to be more costly and do not provide absolute protection against claims or enforcement actions. Yet, regulators in both the EU and U.S. have made clear that they will not look favorably on a failure to counter Safe Harbor’s invalidation. Incorporating these facts may lead companies to consider a multipronged approach to compliance.

What Are the Implications of the Privacy Shield on U.S. Companies?

Both U.S. companies and the federal government will see significant changes as a result of Privacy Shield. As we await publication of the full text, the Department of Commerce and European Commission have provided some further detail and guidance as to requirements for U.S. companies wishing to participate:

  • The Department of Commerce and the Federal Trade Commission will provide oversight and enforcement.
  • Each participating company must register with the Department of Commerce starting August 1, 2016:
    • They must publicly self-certify that they meet and will continue to meet the outlined data protection standards. These include enhanced rights for individuals whose data they collect, limitations on what data can be transferred, and new rules surrounding data retention;
    • They must renew their self-certification every year.
  • Each company must have an adequate privacy policy in place, containing:
    • a statement of its commitment to the Privacy Shield and other required language; and
    • information on individuals’ right to access their personal data and the possibility the company will disclose that data to third parties (including relevant authorities).
  • Each company must establish procedures to collect and address complaints from individuals, including free avenues to resolve disputes (for example, participating in binding arbitration).
  • Each company must institute additional safeguards and notice requirements for data transfers to third parties.

In the wake of yesterday’s referendum decision in the UK to leave the European Union, markets are tumbling and predictions on its impact are far from scarce. Despite the turmoil, privacy officers should follow the old British refrain: Keep Calm and Carry On.

Europe map with padlock symbolizing the General Data Protection Regulation (GDPR)That’s because no matter the uncertainty or negotiations or eventual regulatory environment, it will likely take years for the UK to untangle itself from its 40+-year membership in the European Union. Even given that fact, the UK may well remain within the European Economic Area. For U.S. companies with transatlantic operations concerned about eventual GDPR compliance, the best course is to continue a measured but deliberate approach.

The Immediate Impact

In terms of U.S.-UK data transfer standards or compliance requirements, there is little to no immediate impact. Though the European Court of Justice’s decision in the Schrems case last fall shifted focus to the EU Data Protection Directive and the invalidated Safe Harbor framework, the true source of law for U.S.-UK data transfers is the UK Data Protection Act of 1998. The DPA incorporates and even expands upon the Directive’s principles. Furthermore, the Brexit vote is not Brexit itself. Until the UK actually negotiates its exit from the EU, it remains a member and subject to its regulations.

The EEA Option and GDPR

The UK may elect to remain within the European Economic Area. Doing so would allow the country to engage in free trade with EU member states, assuming that the UK remains harmonized with EU laws. A decision to remain in the EEA would mean that GDPR will eventually take effect in the UK as originally planned.

The Fully Independent UK Option

If the UK exits both the EU and EEA and does not take action on data protection, it would likely become a “third country” as far as EU data protection laws are concerned, assuming the same status as the U.S. If that occurs, EU-to-UK data transfer could be subject to restrictions and an adequacy determination, a la Switzerland, Canada, and Israel. Such restrictions seem unlikely, however, since the DPA currently stands as one of the more comprehensive and strict data protection regulations in Europe. The UK has also already begun working towards eventual adoption of the GDPR.

Much like the “Brexit-lite” option of remaining in the EEA, FieldFisher, a leading European privacy firm, has speculated that the UK may consider adopting a law that amounts to “GDPR-lite”, though such a decision may have pitfalls.

For now, the best course for U.S. companies is to take “Keep Calm” and take a wait-and-see approach to Brexit, while continuing to work towards general GDPR compliance.