General Data Protection Regulation

 

Complying with the EU's General Data Protection Regulation (GDPR) means different things for different groups. For many corporations, it means revamping consent and data handling processes and bringing on new staff. For law firms, means more client work.

But there is one group still deciding how the regulation will affect them: U.S. government agencies. Since the EU regulation applies to all worldwide entities that manage or process the personal data of EU citizens, in theory, some agencies, such as the U.S. State Department or the Department of Homeland Security, can fall under its purview. In reality, however, the situation is far more complex.

“Of course the GDPR, by its terms, applies to public authorities both in the EU and outside of Europe,” said Karen Neuman, a former chief privacy officer at U.S. Department of Homeland Security who is now partner at Goodwin and member of its Privacy + Cybersecurity practice.

But she added that how agencies may be affected by GDPR is far less clear than how private enterprises will be. “Whether and to what extent the U.S. government and its agencies consider themselves subject to the GDPR is a different question.”

To be sure, U.S. government agencies handling EU personal data are likely subject to some contractual restrictions that, while not necessarily from the GDPR itself, echo similar data privacy principles.

“There are circumstances where rather than subject themselves or think of themselves as being subject to the GDPR and to data protection rights, they have negotiated various information exchange agreements with the EU,” Neuman said. “Those data subject rights and GDPR protections are embodied in the various information sharing agreements, whether it's through the Privacy Shield or law enforcement agreements, including the 'umbrella agreement' between the U.S. and the EU for the sharing of law enforcement information.”

Those agreements, she added, reflect “a concerted effort to anticipate the requirements of the GDPR and ensure those protections were embodied in the agreements to the greatest extent possible without conflicting with U.S. law.”

Still, the agreements do not completely parallel principles and provisions in the GDPR. The Privacy Shield, for instance, does not place restrictions on automated processing and decision-making with EU citizen data, which is part of the GDPR's Article 22. In a report following the Annual Joint Review on the Privacy Shield, the EU commission recommended commissioning a study to look at “the relevance of automated decision-making for transfers carried out on the basis of the Privacy Shield.”

Debbie Reynolds, director of EimerStahl Discovery Solutions at Eimer Stahl, told Legaltech News that the issue of automated processing “poses a significant challenge to the integrity of the Privacy Shield.” This is primarily because it won't be easy to place restrictions on how U.S. agencies and companies use automatic processing and decision making.

“I do think it is going to be somewhat of a challenge to address that seamlessly through the Privacy Shield because the way automated decision making is thought of and implemented in the U.S. is different than it is treated in Europe,” Neuman said.  “I think that will be a work in progress for both sides in the next round of reviews for the Privacy Shield.”

But she added it is unlikely that the Privacy Shield will become a vehicle through which the EU imposes GDPR mandates on the U.S. government. “To the extent the GDPR contains elements that may or may not be properly or precisely aligned with U.S. law, you're not going to get the GDPR inserted into the Privacy Shield.”

Indeed, U.S. law can stand in direct odds against the GDPR and EU data privacy principles at times. In the Supreme Court case United States v. Microsoft Corp., the EU parliament filed an amicus brief declaring that should the Supreme Court rule that U.S. law enforcement can compel Microsoft to turn over user data stored in Ireland, it would “undermine the protections of the EU data protection regime, specifically intended and designed to cover data stored in an EU Member State.”

The Supreme Court ultimately dropped the case when Congress passed the Cloud Act, which among other things, allowed for the executive branch of the U.S. government negotiate and rely on data-transfer agreements, such as ones already in place with the EU, for U.S. law enforcement access to data stored overseas.