A brief rundown of developments in recent weeks in the area of EU data protection law:
EU Data Protection Regulation
On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking an important milestone in the ongoing effort to reform and modernize data protection law in the EU. (This development follows the European Commission’s publication of a proposed regulation in January 2012 and the European Parliament’s official agreement to a “compromise” version in March 2014.) Beginning this week, these bodies will begin negotiations to reconcile the three versions with a stated goal of promulgating a final regulation by the end of the year. The regulation will replace the 1995 Data Protection Directive and, once it comes into force, will apply directly in each of the EU member states, creating greater uniformity across the EU in respect of data protection standards.
Check back here next week for an overview of the key differences (and, thus, areas for negotiation) among the positions promulgated by the Commission, Parliament and Council.
As we recently reported, the US and EU continue to negotiate reforms to the US-EU Safe Harbor. It was announced earlier in June that progress is being made, and one EU official told the Wall Street Journal at that time that US officials were being given “another month” to address the EU’s concerns. As we’ve reported in the past, US government access to personal data appears to remain a sticking point.
Concurrent with these negotiations, the European Court of Justice (“ECJ”) also has been considering a broad challenge to the Safe Harbor in the case of Schrems v. Facebook Ireland Ltd. The plaintiff in that case has argued that, given the NSA/Snowden revelations, the Safe Harbor (upon which Facebook—like many other US-based companies—relies to transfer and hold users’ personal data in the US) could not provide adequate protection as a matter of EU law. The ECJ is considering, among other questions, whether a data protection authority can investigate an individual’s claim that the US does not adequately protect data transferred from the EU or whether it must accept as a matter of law that Safe Harbor compliance means data is adequately protected. The case has the potential to have far-reaching effects if the ECJ were to reach the merits of the sufficiency of the Safe Harbor program (as opposed to simply addressing whether the Irish data protection authorities may investigate and/or punting in light of the ongoing reform negotiations). An opinion was originally scheduled to be issued on June 24, 2015, but it was disclosed last week that the opinion will be delayed, and no new publication date has yet been announced.
**This post also appears on Proskauer’s Privacy Law Blog.**
The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post.
Established in 1998, the Safe Harbor program provides a mechanism by which companies can publicly represent that they have established internal controls that provide an adequate level of protection, thereby permitting transfers of personal information from the EU to the US. (EU data protection law provides that – with limited exceptions – personal data can be transferred outside the European Economic Area only if an adequate level of protection is ensured, and the US is not among the countries whose laws the EU Commission has identified as providing adequate protection.)
Although there have been critics of the Safe Harbor program since its inception (particularly around issues of transparency and dispute resolution), criticism has been at an all-time high since the disclosure in 2013 of the U.S. National Security Agency’s surveillance activities. In response to these widespread concerns, the EU Commission issued a report in November 2013 setting forth 13 specific recommendations aimed at promoting transparency, ensuring effective dispute resolution and enforcement, and limiting access to personal information by U.S. authorities. Notable recommendations include:
- Notify the Department of Commerce regarding contracts with subcontractors, including cloud computing services, that will involve the transfer of personal data and make publicly available information regarding the privacy safeguards that are included in such contracts;
- Addressing affordability concerns with respect to alternative dispute resolution mechanisms and increased monitoring of ADR providers;
- Random audits by US authorities to ensure companies are in compliance with their privacy policies and investigation of false claims of Safe Harbor compliance; and
- Inclusion in privacy policies of information regarding the extent to which US law would allow US authorities to access data transferred under the Safe Harbor.
Although the EU Commission initially hoped to finalize reforms last summer, talks continue. It was revealed in November 2013 that agreement has been reached on most of the EU Commission’s recommendations but that US government access to personal data remains a sticking point. The EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, stated in January that the EU had indicated to the US that reforms must include “sufficient guarantees on national security access” and that the EU had “recently registered concrete engagement from the US on this issue.” She indicated a goal of finalizing a reform package by May of this year.
Accordingly, although there have been calls and threats for complete cancellation or suspension of the Safe Harbor program, this remains unlikely, not least because of the extreme economic consequences that would flow from such action. However, it appears certain that reforms will be implemented, and although the full scope of such changes is not yet known, companies can and should begin to prepare. Specifically, current Safe Harbor members, and those considering certification, would be prudent to:
- Consider a self-assessment of compliance with their data privacy policies and applicable data protection requirements;
- Examine their options in respect of ADR and consider the impact of a requirement that ADR be made free for data subjects seeking to utilize it; and
- Begin to identify vendor contracts that contain (or should contain) privacy provisions to ensure that they comply with the Safe Harbor requirements and to assess the feasibility of disclosing these provisions should that requirement be implemented.
We will continue to monitor the reform negotiations and will report here of any developments.
**This post also appears on Proskauer’s Privacy Law Blog.**
India recently enacted the Sexual Harassment of Women at the Workplace (Prevention, Prohibition and Redressal Act) 2013, which protects all “aggrieved women” in the workplace from unlawful harassment. To be clear, the term “aggrieved women” includes both employees and non-employees. The Act represents a drastic shift in the law that will require all employers with a presence in India to implement the requisite policies and procedures outlined in the statute. Continue Reading
This article is also authored by Steven J Pearlman and Harris M Mufson
In Liu v. Siemens A.G., No. 13-cv-4385, 2014 WL 3953672 (2d Cir. Aug. 14, 2014), the Second Circuit affirmed that the anti-retaliation provision in Section 922 of Dodd-Frank does not apply extraterritorially. This post examines the Court’s reasoning and the implications of this decision—particularly for multinational employers. For more on this decision, please review our Firm’s client alert. Continue Reading
As originally published on Proskauer’s Whistleblower Defense blog, in the UK, whistleblowing law is based on a statute prohibiting a “worker” being dismissed or subjected to any other detriment because of having made a “protected disclosure”. Until recently, the general view was that the definition of “worker”, and therefore whistleblowing protection, did not extend to partners. There were many reasons for this view, such as the fact that discrimination legislation (which protects partners as well as other workers), is, in contrast to whistleblowing legislation, explicit as to its application to partners. However, this week, a landmark Supreme Court decision, Clyde & Co. LLP v. Van Winkelhof (overturning a decision of the Court of Appeal) held that partners were “workers” and therefore legislation protecting whistleblowers applies to partners in the same way that it applies to employees. This decision has some very significant consequences, especially in the financial and professional services industries where so many individuals are engaged as partners.
To read the blog post in its original entirety, please visit: UK Whistleblower Protection Extended to Partners.
Two Proskauer Labor & Employment partners Allan Bloom and Kathleen McKenna attended the Cambridge Forum’s International Forum on Employment Law held in Surrey, UK on May 14th – 16th, 2014. Practitioners from 26 countries participated, and engaged in a two-day roundtable on various issues of common interest to global employers, including the future of employment law, cross-border data protection, global mobility, labor issues in international mergers and acquisitions, restrictive covenants, and the future of industrial labor relations. The Forum’s Steering Committee welcomes up to 44 legal practitioners from across the globe, each of whom has been selected based on their experience and specialization in International Employment Law. The invitation-only aspect ensures there is a high and common standard of fluency among all participants of the issues to be discussed.
Social media around the world continues to evolve and so does the International Labor and Employment Group at Proskauer. For a third year, Proskauer and its global partners have conducted a survey of multinational businesses to learn how they are dealing with use of this new media in the workplace. Our third annual survey received more than 110 responses from a broad range of businesses, many with a global presence. The results revealed a number of notable findings and developments including:
- nearly 90% of businesses surveyed now use social media for business purposes.
- more than 70% of businesses reported having to take disciplinary action against employees for misuse (compared to 35% in previous years).
Click here to view the results of our survey, including a summary of key employment law issues, best practices and takeaways from around the world that arise as a result of social media use at work.
In the first of our new series of labor and employment updates from around the world, we focus on Germany, where there have been a number of recent and significant developments. With the help of Gleiss Lutz (a firm with offices throughout Germany), we are delighted to provide you with the latest news from Germany.
As so often happens in the aftermath of an election, the new German Government has turned its attention to labor and employment law, and has already announced new and significant legislation. On top of this, there have been some recent important judgments from the Federal Labor Court. Continue Reading
Fabien Ganivet has joined our Paris office as International Counsel and will support our group in all aspects of employment-related criminal law and in relation to management crisis. He advises companies in their risk-analysis procedures and assist them in the contact of litigation or contentious matters before judicial courts and administrative authorities. More general, his expertise encompasses all areas of criminal litigation, white collar defense and press and media law.
Michelle Gyves has joined our New York office as an Associate and focuses her practice on providing strategic advice and counseling to domestic and multinational employers on a wide range of employment law matters. These matters include hiring and termination, compensation and benefits, and global mobility. Michelle also advises employers with regard to labor, employment and benefits issues, and conducts benefits and human resources due diligence, in connection with both domestic and cross-border corporate merger and acquisition transactions. Michelle is a member of the International Law Section of the American Bar Association, International Employment Committee.
In Villanueva v. United States Department of Labor, No. 12-60122, 2014 WL 550817 (5th Cir. Feb. 12, 2014), the Fifth Circuit Court of Appeals held that the petitioner had not engaged in protected activity under Section 806 of the Sarbanes-Oxley Act of 2002 (“SOX”) because he “blew the whistle” on alleged violations of Colombian tax law, not one of the six categories of U.S. law enumerated in the statute. This blog post summarizes the Court’s holding and analyzes the implications for employers. Continue Reading