Data privacy meets a world of risk: a landscape in turmoil.

• Author: Montana, John C.
• Position: FELLOWS FORUM

Despite this year's passage of the EU-U.S. Privacy Shield agreement and the EU's General Data Privacy Regulation, the privacy landscape remains unstable, leaving organizations uncertain about their next steps. This article explores the causes of the instability and suggests how organizations might respond.

2016 continued a tumultuous string of years for privacy law and for those charged with implementing it and managing the records affected by it. Prior years saw an assortment of inter-governmental squabbles related to eavesdropping by U.S. intelligence agencies, disputes over intelligence sharing for counter-intelligence purposes, and ongoing concerns in Europe over the adequacy of the Safe Harbor arrangement between the European Union (EU) and the United States.

In each of these cases, there was tension between the purported need to make information transfers and the countervailing desire of governments or individuals to keep information private. The cases created issues for organizations outside of government, caught as they often were between conflicting demands and responsibilities on both sides of the Atlantic and their own needs to use personal information for business purposes.

Safe Harbor Gives Way to Privacy Shield

These issues were distilled in Schrems v. Data Privacy Commissioner (C-362/14 (Oct. 6, 2015)), in which law student Max Schrems sued in the European courts, alleging that Facebook's policies and practices violated EU data privacy law, and, thereby, so did the Safe Harbor Agreement, which permitted transfer of EU data from the EU to the United States under specified conditions.

Shield Cedes Power to DPAs

Late in 2015, after years of litigation, the European High Court of Justice in the Schrems case finally issued a ruling. The decision did not, strictly speaking, invalidate the Safe Harbor Agreement. Rather, the court ruled the agreement was nonbinding on national data privacy authorities (DPAs), throwing 20 years of practice and doctrine into a state of great uncertainty.

The Schrems decision had the effect of allowing a national DPA to find a violation for any data transfer to the United States. Given the extent and duration of data transfer that had occurred, and the scope of potential penalties--up to 4% of a company's worldwide revenue--this new DPA power was, and remains, a matter of considerable concern to all.

Data Privacy Regulation Brings Little Relief

2016 at first seemed to have brought relief from the court's decision. Early in the year, the European Union published the new General Data Privacy Regulation (GDPR), as well as the EU-U.S. Privacy Shield Agreement, which were intended to relieve the uncertainties arising from the Safe Harbor...