Labor Days News and analysis from Kelley Drye’s labor and employment practice Wed, 03 Jul 2024 07:21:07 -0400 60 hourly 1 Snowden Aftershocks: High Court Invalidates U.S. - EU Safe Harbor Tue, 13 Oct 2015 10:29:22 -0400 To our readers:

I wanted to share this insightful post from my partner and Privacy expert Alysa Hutnik concerning the recent decision by the European Court of Justice in the Maximillian Schrems v Data Protection Commissioner case, which effectively invalidated the Safe Harbor rule which had allowed US companies to safely share employee data among subsidiaries here and in the EU. As Alysa outlines, this decision creates huge uncertainty and arguably requires employers to create model contracts, or corporate rules to allow for such international data sharing. The Secretary of Commerce issued a statement last week expressing that she was "deeply disappointed" with the decision, and promising the issuance of an updated Safe Harbor framework "as soon as possible."

Stay tuned here and to our Privacy blog for further developments.


This week, largely driven by concerns over indiscriminate U.S. surveillance of EU citizen data, the Court of Justice of the European Commission (ECJ) invalidated the 15-year-old U.S.-EU Safe Harbor framework in Maximillian Schrems v Data Protection Commissioner. The Court found that each EU Member State has the right to determine for itself whether a data transfer provides an adequate level of protection and thus whether data about their citizens can be transferred to the U.S.

In short, the ECJ determined that:

1. The U.S.-EU Safe Harbor framework is invalid because:

  • The U.S.-EU Safe Harbor framework enables the U.S. government and other public authorities to broadly access EU citizens’ data;
  • Those EU citizens lack legal remedies to seek access to their data obtained in this manner or to obtain the rectification or erasure of such data; and
  • These deficiencies do not provide a level of protection of fundamental rights that are equivalent to those guaranteed within the EU.
2. National data protection authorities (DPAs) have the power to investigate the transfer of data to a non-EU country to determine whether there is “adequate protection,” even if the data transfer at issue is subject to a company’s safe harbor certification.

Brief Background:

The European Commission’s (EC) Directive on Data Protection, Directive 95/46/EC, went into effect in October 1998, and prohibits the transfer of personal data to non-EU countries that do not meet the EU’s “adequacy” standard for privacy protection. In 2000, the Department of Commerce in consultation with the EC developed a “safe harbor” framework, whereby companies could transfer personal data concerning a EU citizen to the U.S. if the company self-certifies to the U.S.-EU Safe Harbor Framework. In Decision 2000/520/EC, the EC determined that there is an adequate level of protection for transferring data from the EU to the U.S., if entities comply with the Safe Harbor privacy principles.

Max Schrems, an Austrian Facebook user, filed a complaint with the Irish DPA, alleging that the transfer of data from Facebook Ireland to Facebook USA should cease because the U.S. does not ensure an adequate level of protection under the Safe Harbor. The Irish DPA determined that it would not investigate the complaint on the grounds that it was “unsustainable in law” and cited to Decision 2000/520/EC. Schrems filed an action before the Irish High Court. That court stayed the proceedings and referred the following questions to the ECJ for a preliminary ruling determining whether a DPA is bound by Decision 2000/520/EC or if it could conduct its own investigation into the adequacy of the country’s data protection.

Next Steps for Companies that Relied on Safe Harbor:

The ECJ’s decision means that, for the more than 4500 companies that currently rely on the U.S.-EU Safe Harbor to transfer EU individual data to the U.S., they now will need to assess alternative compliance methods for addressing international data transfers, or face potential legal exposure in Europe. Alternative compliance options include model contracts, binding corporate rules, or by obtaining individual consent. But none of these are a small effort or can be done relatively swiftly.

That quandary is causing headaches for many businesses, aware that the EC decision is effective immediately. At the very least, DPAs collectively will be issuing guidance for businesses that should be helpful in assessing the practical implications of the ECJ decision and considerations and timing for obtaining new compliant data transfer mechanisms. For example, should pre-existing model contracts be updated to address the U.S. surveillance concerns discussed in the ECJ decision? If a Safe Harbor 2.0 is adopted in response to the ECJ decision, will there still be uncertainty on whether to rely on it if individual DPAs can still scrutinize and question if there is adequate protection?

In the meantime, here’s what the White House, the FTC, and Commerce had to say. More to come as we follow the developments…

Maine Cannot Ask Employees for Access to Social Media Wed, 19 Aug 2015 12:29:48 -0400 magnify_Social media privacy legislation has seen a dramatic increase in interest in state legislatures recently. In 2015 alone, at least 23 states have introduced or considered measures to restrict employers’ ability to track, access, or demand social media information from employees, and since 2012, 21 states enacted such legislation – Arkansas, California, Colorado, Connecticut, Illinois, Louisiana, Maryland, Michigan, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Virginia, Washington, and Wisconsin.

Maine is the latest in this growing trend despite Republican Governor Paul LePage’s attempt to block the new law. Unfortunately for Gov. LePage, the Supreme Court of Maine found that he missed the deadline to veto the legislation along with the dozens of other bills he opposed.

Under Maine’s new law, public and private employers cannot ask an employee or applicant to hand over their social media or e-mail passwords, or make them log on to such services in their presence. The law contemplates fines that increase in punishment from $100 for a first violation, $200 for a second, and $500 for each violation thereafter.

Employers in the above listed 21 (and now, with Maine, 22) states should be mindful of these restrictions and put management on notice of the possible consequences of violating these laws.

Kelley Drye to Host Seminar on Employee Privacy and Data Protection Issues in the Connected Workplace Mon, 11 May 2015 15:41:54 -0400 On June 2, 2015, Kelley Drye will be hosting an afternoon seminar at its New York offices on the challenges employers face when balancing data security with employee privacy rights. The seminar will be presented by Labor Days’ own Barbara Hoey and Mark Konkel, joined by Alysa Hutnik of Kelley Drye’s Privacy and Information Security practice. A closed lock on a keyboard

While breaches of customer data have received most of the media scrutiny, employee data breaches also are causing company headaches. But there remain increasing pressures to also gather and utilize employee data through the monitoring of employee communications to measure productivity, maintain corporate image, and to deter or prevent wrongdoing.

The seminar will focus on key questions employers face when balancing obligations to their business and employees such as:

  • What are HR best practices in these areas?
  • What are the lessons learned from past employee data breaches?
  • What are employees’ electronic privacy rights in the workplace?
  • How should a business strike the right balance between an employee’s privacy rights and protection of the business?
  • Can employees use companies’ email systems for personal reasons?
  • Can employers monitor employee email use? Do they have to let employees know if they are doing so?
  • Can employers sanction employees for comments made on social media? What constitutes private behavior vs. behavior that can adversely affect a company’s image?
  • Can employers monitor data on personal devices that are also used for business reasons?
Click here for more information. Click here to register for the event.