Will the GDPR Apply to U.S. Government Agencies?
Though the GDPR applies to both public and private entities, the U.S. government will likely rely on ad-hoc agreements to meet some of its obligations instead of fully complying.
May 18, 2018 at 08:00 AM
4 minute read
Complying with the EU's General Data Protection Regulation (GDPR) means different things for different groups. For many corporations, it means revamping consent and data handling processes and bringing on new staff. For law firms, means more client work.
But there is one group still deciding how the regulation will affect them: U.S. government agencies. Since the EU regulation applies to all worldwide entities that manage or process the personal data of EU citizens, in theory, some agencies, such as the U.S. State Department or the Department of Homeland Security, can fall under its purview. In reality, however, the situation is far more complex.
“Of course the GDPR, by its terms, applies to public authorities both in the EU and outside of Europe,” said Karen Neuman, a former chief privacy officer at U.S. Department of Homeland Security who is now partner at Goodwin and member of its Privacy + Cybersecurity practice.
But she added that how agencies may be affected by GDPR is far less clear than how private enterprises will be. “Whether and to what extent the U.S. government and its agencies consider themselves subject to the GDPR is a different question.”
To be sure, U.S. government agencies handling EU personal data are likely subject to some contractual restrictions that, while not necessarily from the GDPR itself, echo similar data privacy principles.
“There are circumstances where rather than subject themselves or think of themselves as being subject to the GDPR and to data protection rights, they have negotiated various information exchange agreements with the EU,” Neuman said. “Those data subject rights and GDPR protections are embodied in the various information sharing agreements, whether it's through the Privacy Shield or law enforcement agreements, including the 'umbrella agreement' between the U.S. and the EU for the sharing of law enforcement information.”
Those agreements, she added, reflect “a concerted effort to anticipate the requirements of the GDPR and ensure those protections were embodied in the agreements to the greatest extent possible without conflicting with U.S. law.”
Still, the agreements do not completely parallel principles and provisions in the GDPR. The Privacy Shield, for instance, does not place restrictions on automated processing and decision-making with EU citizen data, which is part of the GDPR's Article 22. In a report following the Annual Joint Review on the Privacy Shield, the EU commission recommended commissioning a study to look at “the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.”
Debbie Reynolds, director of EimerStahl Discovery Solutions at Eimer Stahl, told Legaltech News that the issue of automated processing “poses a significant challenge to the integrity of the Privacy Shield.” This is primarily because it won't be easy to place restrictions on how U.S. agencies and companies use automatic processing and decision making.
“I do think it is going to be somewhat of a challenge to address that seamlessly through the Privacy Shield because the way automated decision making is thought of and implemented in the U.S. is different than it is treated in Europe,” Neuman said. “I think that will be a work in progress for both sides in the next round of reviews for the Privacy Shield.”
But she added it is unlikely that the Privacy Shield will become a vehicle through which the EU imposes GDPR mandates on the U.S. government. “To the extent the GDPR contains elements that may or may not be properly or precisely aligned with U.S. law, you're not going to get the GDPR inserted into the Privacy Shield.”
Indeed, U.S. law can stand in direct odds against the GDPR and EU data privacy principles at times. In the Supreme Court case United States v. Microsoft Corp., the EU parliament filed an amicus brief declaring that should the Supreme Court rule that U.S. law enforcement can compel Microsoft to turn over user data stored in Ireland, it would “undermine the protections of the EU data protection regime, specifically intended and designed to cover data stored in an EU Member State.”
The Supreme Court ultimately dropped the case when Congress passed the Cloud Act, which among other things, allowed for the executive branch of the U.S. government negotiate and rely on data-transfer agreements, such as ones already in place with the EU, for U.S. law enforcement access to data stored overseas.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Elaine Darr Brings Transformation and Value to DHL's Business
- 2How Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
- 3When Police Destroy Property, Is It a 'Taking'? Maybe So, Say Sotomayor, Gorsuch
- 4New York Top Court Says Clickwrap Assent Binds Plaintiff's Personal-Injury Claim to Arbitration in Uber Case
- 5'You Can’t Do a First Draft of Common Sense': Microsoft GC Jon Palmer Talks AI, Litigation, and Leadership
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
