Header graphic for print

Password Protected

Data Privacy & Security News and Trends

A Storm Brews: Retailers Push Back Against Payment Card Industry Data Security Standards

Posted in Data breach, Financial Services Information Management, FTC enforcement, Retail

As businesses and financial institutions grapple with data security in the wake of high profile breaches, tensions between retailers and the credit card industry over the creation and implementation of security standards appear to be growing. The disagreements between these two groups manifested themselves on June 2, when the National Retail Federation (“NRF”), the world’s largest retail trade association, announced that it sent a nineteen-page white paper to the Federal Trade Commission (“FTC”) encouraging it to investigate the Payment Card Industry Security Standards Council (“PCI”) for potential antitrust violations. PCI, an organization formed by major credit card companies in 2006, promulgates Data Security Standards (“DSS”) for merchants and service providers to follow for credit and debit card transactions.  The NRF’s white paper attacks both the PCI DSS as well as the PCI and its standards more generally, arguing that PCI is acting collusively and that the PCI DSS should not be adopted as a government standard.  The white paper comes after the FTC announced in March that it had issued orders to nine major companies requiring them to detail their compliance with the PCI DSS.

In its white paper, the NRF urged the FTC not to rely on the PCI DSS “for any purpose,” and “particularly not as an example of industry best practices.”  The NRF argued that PCI was formed and is controlled by a single industry sector—major credit card companies—without input from retailers or other stakeholders, and that its motivations “conflict with the interests of businesses and consumers who use the payment card system.” NRF claimed that PCI’s actions in promulgating DSS that require retailers to invest in particular software and hardware (such as chip-and-PIN payment systems) amounts to anticompetitive conduct potentially in violation of antitrust law.  The white paper argued that the PCI DSS, by requiring the adoption of specific proprietary technology, serves to “shift costs associated with data security—and notably, data breaches—onto merchants” while simultaneously benefiting payment card industry stakeholders.  NRF also argued that the PCI DSS are not in fact more secure than cheaper alternatives (such as PIN-entry systems that do not require chip readers), and that PCI’s promotion of its standards constitute a “scheme” designed to benefit PCI members at the expense of retailers.  In response to the NRF’s announcement, PCI issued a statement declaring that it “strongly disagreed with the unfounded assertions” in the NRF’s letter.

The NRF’s public announcement reflects the storm brewing between retailers and credit card companies over who should develop enhanced security standards and what those standards will be, as well as who will bear the cost of implementing those standards.  The FTC’s potential adoption of the PCI DSS as a standard for determining the strength of companies’ data security practices would represent a significant step in establishing these standards as requirements, rather than non-binding suggestions, for all U.S. retailers.  NRF’s strident statement that PCI is engaging in anticompetitive activity and acting contrary to the interests of retailers and consumers demonstrates that retailers do not intend to allow this development to occur without a fight.

McGuireWoods LLP is a member of the NRF but had no involvement in the NRF’s announcement and letter to the FTC, and takes no position on the statements made by either the NRF or PCI.  McGuireWoods LLP represents a range of financial services institutions as well as retailers.

8th Circuit: Financial Institution Bond Provides Coverage for Fraudulent Wire Transfers

Posted in Cyber Insurance, Cybersecurity, Data breach

With policyholders facing increased losses from hacking and business email compromise, insurers are fighting hard to escape their obligations under financial institution bonds, crime policies and cyber insurance policies. In a case that  bolsters policyholders seeking coverage for digital fraud, the U.S. Court of Appeals for the Eighth Circuit held that a bank’s financial institution bond provided coverage for losses arising from the fraudulent transfer of $485,000 by computer hackers to a foreign bank, even though the bank’s employees were negligent in securing the bank’s computer network.

In its May 20 decision, issued in State Bank of Bellingham v. BancInsure, Inc., No. 14-3432, — F.3d —, 2016 WL 2943161 (8th Cir. May 20, 2016), the Eighth Circuit affirmed the District Court’s conclusion that the efficient and proximate cause of the loss was the criminal activity of the third-party hackers.

The Underlying Breach and Loss

In October 2011, an employee of the State Bank of Bellingham (the “Bank”) completed a wire transfer, which required several security steps, including the entry of the names and passwords of two Bank employees and the insertion of two physical tokens.  At the end of the work day, the employee left the two tokens in the computer and left the computer running.  Prior to the wire transfer, a Zeus Trojan horse virus had infected the Bank’s computer system.  This virus then allowed a computer hacker to access the Bank’s network and transfer funds to accounts in Poland (the “Loss”).

The Bank held a financial institution bond issued by BancInsure providing coverage for losses such as those arising from dishonesty and computer systems fraud.  The Bank submitted a claim and proof of loss to BancInsure seeking coverage for the Loss.  BancInsure denied coverage, relying on exclusions for (a) employee-caused losses, (b) theft of confidential information, and (c) mechanical breakdown or deterioration of a computer system.

The Litigation and the District Court Decision

The Bank filed suit seeking damages for the insurer’s breach of contract.  The U.S. District Court for the District of Minnesota granted the Bank’s motion for summary judgment, holding that the “computer systems fraud was the efficient and proximate cause of [Bank’s] loss,” and “neither the employees’ violations of policies and practices … the taking of confidential passwords, nor the failure to update the computer’s antivirus software was the efficient and proximate cause of [Bank’s] loss.”

The Eighth Circuit Decision

Continue Reading

Home Depot Alleges Visa, MasterCard Colluded To Delay Chip-and-PIN Implementation; Exposed Retailers, Consumers to Data Breach Risks

Posted in Data Protection and Competition, Financial Services Information Management

A recent bombshell lawsuit by The Home Depot alleges patterns of antitrust violations, illegal collusion, and anti-competitive conduct by the Visa and MasterCard credit card networks. The suit arises in a climate in which the networks are increasingly under attack by retailers, and in which The Home Depot is embroiled in extensive litigation stemming from a massive 2014 breach of customer data.  Finally, for consumers concerned with payment card security, the suit highlights potential weaknesses in some U.S. payment card technologies – particularly when compared to systems widely used overseas.

The Home Depot’s Lawsuit and Allegations

On Monday June 13, 2016, The Home Depot filed a 138-page complaint against Visa and MasterCard alleging the credit card behemoths engaged in collusion and price fixing to delay implementation of effective chip-and-PIN security technology in payment cards in the United States. As alleged in the Complaint, the use of Personal Identification Number (“PIN”) verification along with “EMV” chips (“chip-and-PIN”) has been used widely used in Europe since the mid-1990s “to make credit and debit card transactions safer and less prone to fraud.”

Continue Reading

SEC’s IT Security Under Attack as It Attacks Others

Posted in Cybersecurity

The inspector general (IG) of the U.S. Securities and Exchange Commission (SEC) reported last week that the SEC has not sufficiently implemented information technology security upgrades in order to protect highly sensitive information from data breaches. The IG reported that SEC officials failed to deactivate idle user accounts, did not ensure that owners kept their systems performing consistently, and failed to monitor risks. The Office of Information Technology did not implement a risk committee or ensure that employees follow best practices.  Inspector General Carl Hoecker made more specific recommendations which were not released because of sensitive information. A spokesman for the SEC said the agency agreed with the recommendations but declined to comment further.  The SEC did implement some changes since last year following the Federal Information Security Modernization Act of 2014.  The SEC improved its personal identity verification, established multifactor authentication and generally improved identity and access management.

The IG report mirrors similar Government Accountability Office findings released late last month. The GAO report outlined key areas of weakness in the SEC’s information security controls, including a lack of segregation between the agency’s computing environments and a failure to review and update plans for how systems could be recovered in the case of a disaster. The GAO particularly focused on the SEC’s failure to control access to its network, finding that the agency did not always restrict traffic passing through firewalls and did not ensure that only authorized people could access its filing systems. Weaknesses also were found in the physical securities of SEC facilities.  Stephanie Avakian, deputy director for the agency’s enforcement division, said in February that the agency was monitoring on how companies react in the wake of data breaches.

Cybersecurity is the biggest risk facing the financial system, the SEC has said repeatedly. While the SEC has been criticized for its porous cybersecurity, the SEC has led numerous cybersecurity enforcement efforts on Wall Street. The SEC has fined various investment advisers tens of thousands of dollars for failing to implement proper cybersecurity policies before systems were hacked.  Such enforcement efforts are expected to continue.

HIPAA Heats Up

Posted in Data retention, Information Management, Privacy

Despite the issuance of the Omnibus Final Rule in 2013, HIPAA enforcement activity has remained relatively light—until recently. Indeed, compared to just a few settlements a year for the first decade that HIPAA was in force, from September 2015 through April 2016, HIPAA settlements have been coming out at a pace of more than one a month.  Moreover, the dollar amounts involved are significant: $750k, $3.5M, $750k, $240k, $1.55M, $3.9M, $750k, and $2.2M.  This alone should be a wake-up call for any covered entity or business associate that must comply with applicable provisions of HIPAA.  But, it isn’t the only thing making HIPAA hot right now.

Indeed, the Round 2 HIPAA audits have begun.  In the last several weeks, hundreds of covered entities have received surveys that request a variety of information that will be used to identify a broad cross-section of covered entities.  Very significantly, this round of HIPAA audits will also include business associates.  One of the questions in the surveys requires covered entities to identify their business associates.

Unlike the first round of HIPAA audits, the Round 2 audits may result in disciplinary actions.  Given the results of the first round audit—that an overwhelming number of covered entities had HIPAA compliance deficiencies, primarily with respect to HIPAA’s Security Rule—we can expect a flurry of enforcement actions as a result of the latest audits.

So what is a covered entity or business associate to do?  The answer is simple: take HIPAA seriously and get your HIPAA house in order—now!  Then, continue to keep it tidy.

Below is a top ten list of action items to help ensure compliance:

  1. Update policies and procedures – both privacy and security
  2. Ensure that authorizations for release of health information are in plain language
  3. Have expressly-named privacy and security officers, which can be the same person
  4. Ensure that there is a sanctions policy, either referenced by or included in the HIPAA policies and procedures
  5. Update the entity’s security rule risk assessment – completed as a roadmap to demonstrate compliance (not just treated as a checklist)
  6. Refresh workforce training, with documentation of the materials and those who attended
  7. Ensure that business associate agreements are in place with business associates
  8. Create a current and comprehensive list of business associate agreements
  9. Ensure that notice of privacy practices are updated to meet the Omnibus Final Rule requirements, with appropriate posting/distributing, in plain language
  10. Develop a breach response plan if it is not otherwise addressed in the HIPAA policies and procedures

To the degree there is good news about HIPAA enforcement and the audits, it is that the Office for Civil Rights (OCR) tends to take a corrective, rather than punitive, approach to HIPAA non-compliance. As OCR officials have stated at major national meetings, such as the recent International Association of Privacy Professionals Privacy Summit, the OCR is more interested in ensuring compliance rather than specifically punishing entities.

Of course, only time will tell what will happen with the Round 2 audits, but we do know this: HIPAA isn’t going away; covered entities and business associates have since 2013 had to come into compliance with the Omnibus Final Rule revisions to HIPAA, and enforcement is almost certain to increase in the future.

If you need assistance with the implementation of a HIPAA compliance program to minimize risks to health information privacy and security, please contact us.

Arizona Court Rules That Chubb Cyber Policy Does Not Cover Credit Card Theft Losses

Posted in Cyber Insurance, Cybersecurity, Data breach

As cyber attacks increase at an unprecedented pace, more and more businesses are purchasing cyber insurance to protect against that risk. The insurance industry now faces an avalanche of claims, and those claims now are moving to the litigation phase.  In one of the first decisions interpreting a cyber insurance policy, an Arizona federal court on May 31 allowed Federal Insurance Company (“Chubb”) to escape liability under a cyber insurance policy for losses arising from the theft of 60,000 credit card numbers from P. F. Chang’s China Bistro, Inc. See P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).

The Breach and Its Consequences

In 2014, a hacker infiltrated P.F. Chang’s China Bistro’s computer system and stole 60,000 credit card numbers from its customers.  The hacker posted the stolen numbers on the internet.  Chubb insured Chang’s under a “CyberSecurity by Chubb Policy,” and the restaurant immediately provided notice to Chubb of the breach.

Chang’s engaged third parties to investigate the event, notify card holders and provide legal and other advice, and to help it carry out its breach notification obligations.  Unfortunately, P.F. Chang’s also had to defend class action lawsuits.  Chubb provided coverage for these costs, which were approximately $1.7 million.

Chubb refused to provide coverage for the remainder of P.F. Chang’s loss, however.  Credit card holders are protected from fraudulent charges arising from the theft of credit cards.  The banks issuing the credit cards (the issuing banks) reimburse the card holders for the losses.  In addition, the issuing banks are obligated to issue new credit cards.

Issuing banks have recourse, however.  The issuing banks enter into contracts with MasterCard.  P.F. Chang’s (and all merchants accepting credit cards) enters into contracts with acquiring or merchant banks to process charges, and the acquiring banks enter into contracts with MasterCard.  A set of rules published by MasterCard governs the relationships among the issuing banks, MasterCard and the acquiring banks, and these rules are incorporated into MasterCard’s contracts with issuing banks and acquiring banks.  In the event a retailer suffers a security breach resulting in unauthorized access to account data, these rules hold the retailer’s acquiring bank liable for the fraudulent charges incurred by the issuing banks.  This is accomplished through an assessment from the payment card brand.  The acquiring bank, in turn, has recourse against the retailer who experienced the breach.

Here, MasterCard issued a roughly $1.9 million assessment to the acquiring bank and processor of P.F. Chang’s credit card sales.  The assessment included several components.  About $1.7 million comprised fraudulent charges; about $200,000 involved notification and card replacement costs and administrative fees.  Chang’s’ contract with the acquiring bank obligated the restaurant to pay the assessment.  P.F. Chang’s demanded that Chubb reimburse the MasterCard assessment, and Chubb denied coverage.

The Coverage Litigation

P.F. Chang’s filed suit against Chubb.  Chubb moved for summary judgment, arguing the claim fell outside the policy’s insuring agreement and that the losses were excluded.  Although the court noted at the outset of the opinion that Chubb had marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches,” it nevertheless agreed with Chubb and granted its motion for summary judgment.

P.F. Chang’s argued the majority of the assessment by MasterCard (the fraudulent charges), for which Chang’s was contractually liable, fell within the policy’s grant of coverage for Privacy Injury, which the policy defined as an “injury sustained or allegedly sustained by a ‘Person’ because of actual or potential unauthorized access to such ‘Person’s’ ‘record’ . . . .” The court rejected the insured’s claim and held that the Privacy Injury coverage applied only when a person suffering the privacy injury made a claim against the insured, and because the acquiring bank had not suffered a privacy injury, the Privacy Injury coverage did not apply.

Relying on cases interpreting commercial general liability policies, the court also found that two contractual liability exclusions barred coverage for the entire claim. These included an exclusion for “any liability assumed by any ‘Insured’ under any contract or agreement and an exclusion for “any cost or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any ‘insured.’”  Because P.F. Chang’s had agreed to reimburse the acquiring bank for the assessments, the court concluded the exclusions applied.

In reaching this decision, the court rejected P.F. Chang’s argument that the exclusion should not apply because Chang’s would have been liable to the acquiring bank even in the absence of the indemnification agreement. The court also found unavailing the restaurant’s argument that its payment to the acquiring bank was the “functional equivalent” of compensating the victims of Privacy Injury, because P.F. Chang’s failed to offer evidence that it would have been liable for the MasterCard assessment absent the agreement with the bank.

The court finally rejected Chang’s argument that coverage existed under the reasonable expectations doctrine. Although P.F. Chang’s presented evidence that Chubb represented that its policy afforded coverage for direct loss, legal liability and consequential loss resulting from cyber security breaches, the court concluded that this evidence was insufficient to establish that Chang’s had a reasonable expectation of coverage for the payments it made to its bank.

Impact

P.F. Chang’s purchased an insurance policy to protect itself from liability arising from a breach of its computer systems, but in this case, the cyber insurance policy provided only a partial recovery for the insured.  Contrary to basic principles of insurance law, the court narrowly construed the insuring agreement and broadly construed the exclusions to find that no coverage existed for the losses arising from the claim by the acquiring bank against Chang’s.  While it is true that the acquiring bank’s own “records” were not stolen, the fraudulent charges arose from claims by customers whose card numbers were stolen.  The acquiring bank was merely a conduit to pass along those losses.  Therefore, the court should have found coverage.

This case demonstrates that carriers will advertise that their policies offer broad coverage, but when faced with a claim, insurers will fight hard to limit the coverage.

The ruling also sends a clear warning to retailers.  A primary risk to a retailer following a cyber breach is an assessment from Visa or MasterCard passed on to it by an acquiring bank, and this court found that losses arising from these assessments are not covered losses, at least under this Chubb policy.

It is important for policyholders to evaluate the purchase of a cyber insurance policy carefully, and if you have purchased a cyber policy, you should consider carefully the coverage that is available under that policy.  Property and general liability policies are standardized, but the market for cyber insurance is dynamic, and cyber policies vary significantly.  One cyber policy may cover a loss and another may not.

Risk managers and business owners should consult with coverage counsel as they evaluate the purchase of a cyber policy.  McGuireWoods can assist, and for more information, please see our Legal Alert, A Buyer’s Guide to Cyber Insurance.

Criticisms over the Draft Adequacy Decision by the European Data Protection Supervisor: Final Lap for the Privacy Shield?

Posted in EU Data Protection, Legislation, Privacy

Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n° 4/2016 of May 30, its concerns about the compliance of the draft adequacy decision on the EU-U.S. Privacy Shield (available here) with the Schrems ruling. As a refresher, this ruling, issued on October 6, 2015 by the EU Court of Justice (CJEU) (C-362/14), invalidated the Safe Harbor framework, which allowed EU companies to transfer personal data to certain self-certified U.S. companies. Since the EDPS is one of the most influential voices on the CJEU regarding data protection matters, this opinion should be carefully considered.

The EU and U.S. negotiators are caught between competing sides. For obvious reasons, industry urges the negotiators to reach an agreement before the end of summer and the U.S. elections. On the other side, the WP29 and the EDPS outline the imperative to meet the requirements resulting from the Schrems ruling by reaching an agreement ensuring “a level of protection of fundamental rights and freedoms that is [not necessarily identical but] essentially equivalent to that guaranteed within the European Union“. The outcome of this negotiation relies on whether U.S. legislation will provide the guarantees of implementation and enforcement of the commitments made under the agreement.

In its opinion, the EDPS targets the lack of precision of certain provisions and recommends strengthening certain principles:

  • Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Data retention: data must not be retained longer than is necessary for the purpose for which it is processed;
  • Automated processing: every person should have the right not to be subject to a decision based solely on automated processing which significantly affects him/her;
  • Onward transfers: those transfers should not enable third parties and foreign importers to circumvent the Privacy Shield framework; and
  • Data subjects’ right: the provisions addressing the right to access and the right to object should be improved.

The EDPS welcomes the efforts towards increased transparency in the information provided on access to data by U.S. authorities. However, according to the EDPS, the Privacy Shield should better specify the notion of “foreign intelligence” and the purposes for which derogations “necessary to meet national security, law enforcement or any public interest requirement” are possible.

The EDPS also recommends improving the redress mechanisms by providing specific commitments that (i) the proposed Ombudsperson will be able to act independently not only from the intelligence community but from any authority, (ii) the requests for information and cooperation from this Ombudsperson will be effectively implemented by all U.S. agencies, (iii) the level of protection of U.S. and non-U.S. data subjects will be identical. The EDPS encourages exploring the possibility of involving EU representatives in the assessment of the oversight system results.

One of the major merits of this opinion is to promote general and long-term objectives that can lead negotiations toward a stable agreement. According to the EDPS:

  • The final adequacy assessment should not only include regulations directly related to the U.S. commitments but all federal and state laws that could allow access for public interest purposes;
  • As required by the CJEU and the WP29, in order to check whether the finding relating to the adequacy decision is still factually justified, the annual joint review of the application of the Privacy Shield should not only include meetings with public and private entities but also “on-the-spot verifications“;
  • Last but not least, the new elements of the General Data Protection Regulation (GDPR), which will replace the current Directive in about two years, should be put on the negotiating table, including the privacy by design and by default principles, data portability and the criteria for future third countries adequacy decisions.

For more information on the Privacy Shield and the GDPR, please refer to the following prior Password Protected blog posts:

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

New Tough and Harmonized Framework for EU Data Protection

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid

ERISA and Cybersecurity

Posted in Cybersecurity, Data breach

Employee benefit plan data stored online may include participants’ names and Social Security numbers, account information and protected health information (PHI), all of which are inviting targets for hackers. Highly-publicized data breaches in recent years have called attention to the obligations of benefit plan administrators (typically the employers sponsoring the plans) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard PHI.

These data breaches are also causing benefit plan administrators and other fiduciaries under the Employee Retirement Income Security Act of 1974 (ERISA) to consider whether their ERISA responsibilities include securing online plan data from cyberattacks, especially as to 401(k) and other benefit plans that are not subject to HIPAA. Although definitive guidance has not been provided, fiduciaries would be well-advised to proceed on the assumption that cybersecurity is an ERISA issue.

The Cybersecurity ERISA Regulatory Gap

When ERISA was enacted, the predecessor to today’s Internet was in its formative years. Although online storage of benefit plan data has been the norm for some time, Congress has not amended ERISA to address cybersecurity. Moreover, the Department of Labor (DOL), which is charged with enforcing ERISA, has not formally addressed cybersecurity in the ERISA context.

In 2011, the ERISA Advisory Council, established to advise the Secretary of Labor, recommended that the DOL issue guidance on the obligation of plan fiduciaries to secure and keep private the personal identifiable information of plan participants and beneficiaries. In a recent release, the current council indicated that its goal is to offer the DOL draft materials that will help plan sponsors understand, evaluate and protect benefit plan data and assets from cybersecurity risks.

Continue Reading

Social Media’s Expanding Distribution of Internet Advertising Impacts Privacy and Security

Posted in Consumer Privacy/FTC, E-commerce, Other, Privacy

Last week, social media giant Facebook announced an expansion of its online advertising business to include serving ads to users who are not members of Facebook. Under a press posting titled “Bringing People Better Ads,” Facebook decried ads that are “annoying, distracting or misleading” and talked about its efforts to do better.  This move highlights again the sometimes contentious topic of Internet ads and ad-blocking technology. Internet advertising and the technological and social aspects of ad-blocking have important consequences for user privacy and data security, both for individuals and for enterprises.

In the press information posted on its news site, Facebook talked about some of the issues raised by “bad” advertising. Much of the discussion of ads and ad-blocking has focused on user inconvenience and consumer ethics. On the one hand, Internet advertising slows the retrieval of requested content, utilizes megabytes of expensive bandwidth, drains power-thirsty mobile batteries, and annoys users with unexpected sound and video. On the other hand, some ask whether it is right to block ads but still consume ad-supported content when, as Facebook noted, “apps rely on advertising to pay the bills.”

The ad-blocking debate also has an “us” versus “them” element, as Internet companies dependent on advertising revenue are pitted against those that profit from device sales. Indeed, the expansion of ad-blocking to some mobile platforms last year was seen by some as a competitive step by smartphone providers aimed at search and social network companies. Continue Reading

New Threat to Transatlantic Personal Data Transfers: Possible Invalidation of Standard Contractual Clauses

Posted in EU Data Protection, Legislation, Privacy, Surveillance

Since 2013 revelations about U.S. mass surveillance, the transfers of personal data between the EU and the U.S. have encountered regular legal threats: cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) in the Schrems case in October 2015, serious criticism from some EU institutions and national data protection authorities concerning the draft of the Privacy Shield, and a declaration by the Article 29 Working Party concerning the future review of standard contractual clauses (SCCs) and binding corporate rules as transfer mechanisms.

After the cancellation of the Safe Harbor, the Irish High Court, from which the referral to the CJEU originated, ordered in the same Schrems case, still pending at national level, an investigation concerning Facebook international transfers of personal data. The result of this investigation was revealed by Max Schrems himself in a May 25, 2016, press release where he declared:

In an unpublished draft decision of May 24th 2016 the Irish DPC followed the objections of the Complainant Mr. Schrems in the procedure between Mr. Schrems and Facebook Ireland Ltd. Mr. Schrems claimed that Facebook USA continues to be subject to U.S. mass surveillance laws, independent of the use of “model causes” or “Safe Harbor” and that his data continues to be subject to fundamental rights violations once it reaches the United States.

In consequence of this, the Irish Data Protection Commissioner (Irish data protection authority) has decided that it will again refer the case to the CJEU to determine the legal status of data transfers to the U.S. under SCCs.  The risk that the CJEU will declare that the transfers to the U.S. based on SCCs are vitiated for the same reasons as those relating to the cancellation of the Safe Harbor is very high.  Therefore, it is clear that both the EU and the U.S. have an important common interest to improve the draft of the Privacy Shield still under discussion.

EU-U.S. Privacy Shield: Better or Worse?

Replacing Safe Harbor: EU-U.S. Privacy Shield Announced

U.S. Chamber of Commerce and Business Europe Request Quick, Perennial Safe Harbor Fix

Safe Harbor Invalidated by the CJEU; Are There Other Solutions for Transatlantic Transfers?

Means, Other Than Safe Harbor, of Transferring Personal Data to the U.S. Potentially Vitiated?

CJEU Declares the EU Commission Safe Harbor Decision Invalid