BNA: We wondered first about the Safe Harbor without you there. They’re not replacing you, right?

Greer: They’re not replacing me. Another person just started … she had her baptism of fire. We had a luncheon and she said, “Now I have an appreciation of what you did while you were there.” I said, “Well, welcome to my world.”

BNA: What was that world like?

Greer: Extremely busy. I kind of characterized it as something akin to strapping yourself into the seat of a jet fighter and going off at Mach 2 at 8:30 in the morning and going all day long. Fielding telephone calls, e-mail inquiries from companies, people wanting to know how the framework works, that sort of thing. And it goes on five days a week. I used to work on Saturdays from home just to keep my head above water.

BNA: And it’s mostly inquiries from companies?

Greer: Yes. With the rate of growth in Safe Harbor right now, even the addition of this other person is not going to help them. …

I know in your BNA article on the ICO [the U.K. Information Commissioner's Office] … certifying another company for BCRs [Binding Corporate Rules], they did 11 BCRs in the last [six years] or so (10 PVLR 1686, 11/21/11). Safe Harbor used to do that in two days. BCRs … large companies can afford that—J.P. Morgan Chase, Accenture, Hyatt Hotels, General Electric. Most of the companies in Safe Harbor are smaller companies. They’re below the Fortune 1,000. It just costs so much money to go through the process, even under the streamlined format that they supposedly have. I haven’t seen a groundswell of interest among the business community to take that option.

BNA: Are the number of organizations seeking Safe Harbor status up just this year?

Greer: It’s been rising since I took over in 2006. But it’s been gradual. Now their increase on average since 2009 has been between 20 and 22 percent a year over the prior year.

BNA: What was the biggest success of your time with the Safe Harbor program? …

cforms contact form by delicious:days

By Karin Retzer and Michael Miller

I. THE SOURCES OF THE CONFLICTING OBLIGATIONS

Complying with U.S. discovery demands can involve enormous effort and expense, even in the best of circumstances. But the discovery process can become even more difficult when compliance with U.S. discovery demands raises potentially conflicting legal obligations in non-U.S. jurisdictions. One way in which these conflicting demands might arise is when EU data protection laws prohibit the discovery of the requested information. On the one hand, U.S. courts can seek to compel litigants and third-party witnesses to produce documents and other information, and impose serious sanctions for failure to do so. On the other hand, data protection authorities in EU Member States ¹ can view the production of those documents and other information, whether court ordered or not, as itself violating EU data protection rules, and can impose penalties for taking the steps necessary to comply with those U.S. discovery orders. Below we discuss these conflicting demands, and suggest a constructive way to reconcile them. A useful place to start this discussion is at the roots of the conflicting demands imposed by the different legal regimes.

¹ The 27 Member States of the European Union are: Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (collectively, the “Member States”).

A. Different Approaches to Data Protection

One of the roots of the conflict that can arise in U.S.-EU cross-border discovery is the substantially different notions of “personal data” adopted under U.S. and EU law, and the different protections accorded such data. The EU takes an omnibus approach—protecting all personal information, while the United States operates on a harms-based approach—protecting only that information that is particularly sensitive or which, if inappropriately used or disclosed, can cause substantial harm to individuals. It is critical to understand these differences in any dialogue on cross-border discovery.

The EU Member States ² generally embrace a broad view of “personal data.” The 1995 Data Protection Directive ³ (“Directive”), as implemented by the Member States, protects individuals against the unauthorized processing of personal data, which is defined as any information relating to an identified or identifiable individual. This includes e-mails or documents created in the workplace such as work related e-mails, memoranda, and reports. …

cforms contact form by delicious:days

Last month, Europe took a major step toward a notice and opt-in regulatory model for behavioral advertising.

On June 22, the Article 29 Working Party, the EU-level data protection advisory body comprised of representatives of all EU member state data protection authorities, issued a detailed and very restrictive opinion on online behavioral advertising. The opinion requires network advertisers to obtain user opt-in to placement of advertising cookies on user devices, to provide prominent notice of profiling, and to erase cookies periodically. It also requires website publishers to inform the visitors about the ad network used and the profiling that takes place. The Working Party will reach out to industry stakeholders and invites public comment and a “dialogue” with industry regarding how to implement the broad principles it articulates in the opinion.

cforms contact form by delicious:days