As employers catch their breaths after an action-packed 2016, they need to gear up for another turbulent year for international data privacy issues in 2017. The top five international data privacy issues follow.
1. Preparation for the GDPR
Although the EU General Data Protection Regulation (GDPR) will not take effect until May 2018, it is critical that employers begin preparations for compliance in 2017 to timely implement the new obligations imposed by the GDPR. Among other requirements, the GDPR will require employers to revise their notices and consent mechanisms, implement a data breach notification scheme, hire or contract with Data Protection Officers, and implement data retention and deletion policies to comply with the “right to be forgotten.” The Article 29 Working Party, which is comprised of the various EU data protection authorities, has already issued guidance on several of these obligations and is expected to provide further guidance in 2017.
2. Changes to Privacy Shield
In 2016, several thousand U.S. companies self-certified under the Privacy Shield in order to transfer human resources data from the EU to the United States after the Safe Harbor Framework was invalidated in 2015. However, the validity of the Privacy Shield was challenged by the data privacy advocacy group, Digital Rights Ireland (DRI), at the end of last year and the case is pending in the European Court of Justice. DRI argues, among other things, that the Privacy Shield fails to provide EU citizens with adequate remedies to redress violations and fails to fully protect the rights of EU citizens regarding the transfer of their data. Additionally, pursuant to the terms of the Privacy Shield adequacy decision, the European Commission and the U.S. Department of Commerce will conduct a joint annual review of the Privacy Shield later this year to determine if any changes need to be made to address concerns raised since its inception in July 2016. It is expected that revisions will be made in light of the DRI challenge.
3. Decisions Regarding the Validity of the EU Model Contract Clauses
Many U.S. employers have opted not to join the Privacy Shield and have, instead, chosen to rely on EU Standard Contractual Clauses (SCCs) to transfer data from the EU to the United States. However, the validity of these clauses was challenged in 2016 by Maximilian Schrems, the individual who successfully challenged the validity of the Safe Harbor Framework before the European Court of Justice in 2015. Significantly, the challenge to the SCCs is based on the same grounds used by the European Court of Justice to invalidate Safe Harbor. The Irish Data Protection Authority preliminarily ruled in May 2016 that the challenge was well-founded and commenced a legal proceeding in Ireland’s High Court, which is expected this month to rule on the validity of the clauses and refer the matter to the European Court of Justice for final determination. If the European Court of Justice receives this case, it is expected that it will render a determination by the end of 2017 or early 2018 on whether the clauses are valid.
4. Increased Enforcement of EU Data Protection Laws
In November 2016, 10 German Data Protection Supervisory Authorities sent questionnaires to 500 randomly chosen companies in Germany as part of a coordinated investigation to determine whether the companies were transferring data to countries outside of the EU in compliance with the German data protection law. Earlier, in June 2016, the data protection authority for Hamburg issued fines ranging between EUR 8,000 and EUR 11,000 to three companies which improperly transferred data outside of Germany after the invalidation of the Safe Harbor Framework without implementing a legally recognized replacement mechanism for such data transfers. It is anticipated that data protection authorities in other EU jurisdictions will follow Germany’s lead and crack down on employers that transfer HR data to the United States and other non-EU countries without implementing a legal mechanism for such transfers.
5. Compliance With Data Protection Laws of Non-EU Countries
While employers were consumed in 2016 with the changing data privacy landscape in the EU, they will need to broaden their data privacy compliance efforts to countries outside of the EU in 2017. Several countries such as Chile, Argentina, Qatar, Australia, Turkey, Korea, and the Philippines either implemented new data protection laws or revised their current laws in 2016. Further, on November 20, 2016, the heads of state of the 21 member economies of the Asia-Pacific Economic Cooperation (APEC) reaffirmed the APEC Cross-Border Privacy Rules (CBPR) System for the transfer of data among the member states. Though only Japan, the United States, Mexico, and Canada have joined the CBPR System, a recent survey has reported that Korea, Singapore, and the Philippines plan to join, while Australia, Hong Kong, Russia, Taiwan, and Vietnam are considering joining.