International data protection developments

Mark Lubbock, Partner, Brown Rudnick LLP, writes about data protection developments in US.

First up is the successful passage of the CLOUD Act through congress. The CLOUD Act would creates a framework to enable law enforcement agencies to access personal data across borders including to access data held by US operators outside the US - the subject of the now moot Microsoft Ireland case.  This means that the EU data held by a law firm which uses a US operator can be accessed by such agencies even if held outside the US. The law is likely to have a greater impact on US law firms than EU ones as US firm are more likely to use a US operator than EU ones. However proposals are apparently in train to create a similar law in the EU which will level the playing field albeit allowing EU government agencies to access US held data. It's not clear yet how this law will interact with GDPR which prohibits the export of data outside the EU except in exceptional circumstances.

In April 2018, the Irish High Court decided to send questions in the case brought against Facebook by Max Schrems to the CJEU concerning Facebook sharing data with US intelligence agencies - see http://www.europe-v-facebook.org/sh2/ref.pdf .  The decision may mean that Facebook and other electronic communication service providers would need to segregate EU and US data on separate systems, including such service providers to law firms. And if the CJEU decision also has a negative impact on the efficacy of the US-EU privacy shield and the use of model clauses, there will be no easy way to transfer data between the US and UK offices of a law firm.

It's difficult to predict how these will turn out, but it will be necessary for EU and US law firms to keep abreast of developments.

Mark Lubbock will be chairing ARK Group's GDPR for law firms event on 24 April 2018.