Earlier this year I discussed data privacy essentials for in-house counsel (click here to read). The post discussed a number of basic data privacy issues, including the 2000 U.S.-EU Safe Harbor Agreement. The agreement allows U.S. companies that register and agree to its terms to legally transfer personal data from the EU into the U.S. The agreement was necessary because the European Commission (the “Commission”) determined that the U.S. did not have “adequate” data protection laws and, therefore, without such an agreement the ability to transfer personal data out of the EU and into the U.S. was limited due to provisions of Article 25(6) of the 1995 Data Protection Directive. The Safe Harbor Agreement remedied the problem by creating a mechanism under which U.S. companies could agree to apply core EU data protection principles to personal data and subject themselves to regulatory oversight by the Federal Trade Commission or the Department of Transportation.
Last week (October 6, 2015) the European Court of Justice invalidated the Safe Harbor Agreement. The court found that the agreement did not provide “essentially equivalent” data protection to EU citizens (primarily because of the then unfettered access to personal data by U.S. intelligence agencies under the PRISM program). The court also held that local Data Protection Authorities (DPAs) are empowered to independently assess whether a non-EU country provides adequate protection regardless of whether the Commission has already made such a determination that it does.
The result is a big mess regarding how companies that relied on the Safe Harbor Agreement can legally transfer personal data out of the EU and into the U.S. and how things will work in the future if DPAs can override a Commission decision on the adequacy of data protection in non-EU countries. This edition of Ten Things discusses some practical things U.S. companies should do next in light of last week’s development.
A common complaint you will hear as in-house counsel is “Why does it take so long for you guys to review my contract?” (Second only to “Why are our contracts so long?”) The answer, as you know, is complicated. Legal is a limited resource, typically a small team that reviews hundreds and possibly thousands of contracts in any given year. While a lot of contracts are fairly routine, many involve complicated provisions or transactions with millions of dollars on the line. Sometimes you have to create a contract from scratch, meaning you do not have a form or something to easily model from. Frequently, things like litigation or large M&A deals take up substantial amounts of lawyer time — time that cannot be spent on contracts. Finally, legal will generally prioritize contracts based on the strategic objectives of the business. Deals that better support the strategy/objectives get more attention more quickly.
As we head into the holiday season, this is the perfect time to give your anti-bribery program a health check. For those in the U.S., we tend to focus on the Foreign Corrupt Practices Act when thinking about anti-bribery laws. However, if you work for a company that operates globally, you know that many countries have anti-bribery laws and you need to be aware of those requirements as well. Enforcement of the FCPA/anti-bribery laws is not going away. In fact, in my opinion, it will get even more intense over the next few years. Given the level of fines and the reputational risk at stake, it’s important to ensure you are taking the right steps to give your employees the tools they need to stay on the right side of the line. At my prior company, we typically used the advent of the holiday season as the time to take a number of steps relating to FCPA/anti-bribery compliance. Below are ten things you can do now to help ensure compliance with anti-bribery laws. In key spots, I have included links to articles or websites with additional information you might find helpful.