Lawyers Anticipate More Teeth in New Data-Transfer Pact

Lawyers Anticipate More Teeth in New Data-Transfer Pact

SAN FRANCISCO — The European Commission and the U.S. Department of Commerce on Tuesday announced a new framework to govern the cross-border transfer of digital data.

The “EU-US Privacy Shield” would replace the Safe Harbor pact that was struck down in October by the European Court of Justice. Details of the agreement will be finalized in the next two weeks. In the meantime, privacy lawyers agree on one message: get ready for stronger enforcement.

“When talking to our clients, we tell them that we are getting every indication that this is going to be vigorously enforced,” said Reed Smith partner William Cook, an intellectual property and data-privacy partner based in Chicago.

The so-called Privacy Shield lays out obligations for data transfer between companies in Europe and the United States. U.S. companies that handle the data of European citizens will have to meet reporting obligations and will be subject to oversight by the U.S. Department of Commerce and the Federal Trade Commission. The Department of Commerce and the FTC had authority to monitor U.S. company activity under the previous Safe Harbor agreement, but lawyers agree that the European Commission is looking to broaden the FTC’s role.

“Europeans want to see a higher number of cases,” said Baker & McKenzie partner Lothar Determann. According to a 2013 report from the FTC, the agency had brought 10 cases related to Safe Harbor violations since the agreement’s inception. Enforcement actions may not have been frequent, but they had great impact, Determann said.

“Let’s put this in perspective,” he said. “FTC decisions have grave consequences for U.S. companies, and a lot of companies that see an FTC case come out in a certain way, they change their behavior immediately.”

Paul Hastings special adviser Paul Schwartz, a law professor at UC-Berkeley, said the proposed Privacy Shield, when taken together with another soon to be adopted data-privacy regulation, signals a new mode of thinking for European enforcement. That law, the General Data Protection Regulation, exposes companies to high fines for violations.

“You look at the number and it’s like holy moly, this is the Big Leagues,” Schwartz said, comparing the enforcement fines to those imposed in antitrust violations. According to the new law, a company could be fined either 2 million euros or 4 percent of their global revenue for infractions. For Alphabet, Google’s new corporate parent, a 4 percent fine could approach $3 billion based on the earnings figures it posted Feb. 1.

“If that’s their new model,” Schwartz said, “people are going to have to take this much more seriously.”

Contact the reporter at