Transatlantic Data Transfers: US-EU Privacy Shield under review

When personal data travels between Europe and America, it must cross international borders lawfully. If certain conditions are met, companies can rely on the US-EU Privacy Shield, which functions as a sort of “tourist visa” for data. 

Earlier this week (19 November) the United States Federal Trade Commission finalised settlements with four companies that the agency accused of falsely claiming to be certified under the US-EU Privacy Shield framework. This news closely follows the highly anticipated second annual joint review of the controversial data transfer mechanism. 

IDmission LLC, mResource LLC, SmartStart Employment Screening Inc., and VenPath Inc. were slapped on the wrist by the FTC over allegations that they misrepresented their certification. But this is just the latest saga in an on-going debate regarding the Privacy Shield’s fitness for purpose. Only this summer, the European Parliament urged the European Commission to suspend the Privacy Shield programme over security and privacy concerns.

flying airplane

Background and purpose

Designed by the United States Department of Commerce and the European Commission, the Privacy Shield is one of several mechanisms in which personal data can be sent and shared between entities in the EU and the United States. The Privacy Shield framework thereby protects the fundamental digital rights of individuals who are in European Union, whilst encouraging transatlantic commerce.

This is particularly important given that the United States has no single, comprehensive law regulating the collection, use and security of personal data. Rather, the US uses a patchwork system of federal and state laws, together with industry best practice. At present, the United States as a collective jurisdiction fails to meet the data protection requirements established by EU lawmakers.

As such, should a corporate entity or organisations wish to receive European personal data, it must bring itself in line with EU regulatory standards, known as being “protected under” the Privacy Shield. To qualify, companies must self-certify annually that they meet the requirements set out by EU law. This includes taking measures such as displaying privacy policy on their website, replying promptly to any complaints, providing transparency about how personal data is used, and ensuring stronger protection of personal data.

Today, more than 3,000 American organisations are authorised to receive European data, including Facebook, Google, Microsoft, Twitter, Amazon, Boeing, and Starbucks. A full list of Privacy Shield participants can be found on the privacyshield.gov website.

Complaints and non-compliance?

There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.

—Gordon Sondland, American ambassador to the EU

Although the Privacy Shield imposes stronger obligations than its ancestor, the now-obsolete “Safe Harbor,” European lawmakers have argued that “the arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice.”

In its motion to reconsider the adequacy of the Privacy Shield, the EU Parliament stated that “unless the US is fully compliant by 1 September 2018” the EU Commission would be called upon to “suspend the Privacy Shield until the US authorities comply with its terms.” The American ambassador to the EU, Gordon Sondland, responded to the criticisms, explaining: “There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.”

Věra Jourová, a Czech politician and lawyer who serves as the European Commissioner for Justice, Consumers and Gender Equality, expressed a different view: “We have a list of things which needs to be done on the American side” regarding the upcoming review of the international data transfer deal. “And when we see them done, we can say we can continue.”

Photo: Ambassador Sondland with Commissioner Jourova in the Berlaymont.
Jourová and Sondland, via a tweet from Sondland saying he was “looking forward to our close cooperation on privacy and consumer rights issues that are important to citizens on both sides of the Atlantic.” 

The list from the Parliament and the First Annual Joint Review [WP29/255] (.pdf) concerns institutional, commercial, and national security aspects of data privacy, including:

  • American surveillance powers and use of personal data for national security purposes and mass surveillance. In particular, the EU is unhappy with America’s re-authorisation of section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorises government collection of foreign intelligence from non-Americans located outside the United States (Remember Edward Snowden and PRISM? See the Electronic Fronteir Foundation’s explanation here)
  • Lack of auditing or other forms of effective regulatory oversight to ensure whether certified companies actually comply with the Privacy Shield provisions
  • Lack of guidance and information made available for companies
  • Facebook and the Cambridge Analytica scandal, given that 2.7 million EU citizens were among those whose data was improperly used. The EU Parliament stated it is “seriously concerned about the change in the terms of service” for Facebook
  • Persisting weaknesses regarding the respect of fundamental rights of European data subjects, including lack of effective remedies in US law for EU citizens whose personal data is transferred to the United States
  • The Clarifying Overseas Use of Data (“CLOUD”) Act signed into law in March 2018 allows US law enforcement authorities to compel production of communications data, even if they are stored outside the United States
  • Uncertain outcomes regarding pending litigation currently before European courts, including Schrems II and La Quadrature du Net and Others v Commission.

 

Image result for max schrems
Max Schrems is an Austrian lawyer and privacy activist. In 2011 (at the age of 25) while studying abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook’s lack of awareness of European privacy law. His activism led to the replacement of the Safe Harbor system by the Privacy Shield.

What happens if the Privacy Shield is suspended?

In a joint press release last month, the representatives from the EU and USA together reaffirmed “the need for strong privacy enforcement to protect our citizens and ensure trust in the digital economy.” But that may be easier said than done.

In the event that the Privacy Shield is suspended, entities transferring European personal data to the United States will need to consider implementing alternative compliant transfer mechanisms, which could include the use of Binding Corporate Rules, Model Clauses, or establishing European subsidiaries. To ensure that the American data importer implements an efficient and compliant arrangement, such alternatives would need to be assessed on a case-by-case basis involving careful review of data flows, and the controller and processors involved.

Regardless of the method used to transfer data, American companies must ensure that they receive, store, or otherwise use European personal data only where lawfully permitted to do so. The joint statement noted above concluded by saying that the “U.S. and EU officials will continue to work closely together to ensure the framework functions as intended, including on commercial and national-security related matters.”

The European Commission is currently analysing information gathered from its American counterparts, and will publish its conclusions in a report before the end of the year.

“Faceswap” for Lady Liberty costs US Post Office $3.5M

Between 2011 and 2014, the United States Postal Service (USPS) used an image of the Statue of Liberty for its Forever Stamp series (a type of First Class postage stamp). Unfortunately for the USPS, the image they chose was not actually of the famous statue that towers over New York Harbor designed by French sculptor Frédéric Auguste Bartholdi in 1886. Instead, the image they chose was actually Robert S. Davidson’s replica Statue of Liberty which looks over the New York-New York Hotel & Casino in Las Vegas. Davidson sued for – and won – nearly $3.5 (£2.6) million in royalties, plus interest.

Image result for statue of liberty copyright
the original in New York (left) and the “replica” in Vegas

As reported by Artsy, an eagle eyed stamp collector identified the mix-up in 2011. The USPS was made aware of the goof in 2013, but went on to print another 1.13 billion stamps with the replica’s image. For context, the judgement cited that the USPS made some $70 million in revenue resulting from sales of this Lady Liberty stamp alone.

The Post Office purchased the photo used on the stamp from the image service Getty for $1,500 (£1,140). However, the license only covered the rights to Getty’s photograph of the statue — and not the statue itself. The USPS neglected to seek permission from Davidson, likely because they simply assumed what it was using was in the public domain.

In its defense, the USPS asserted that the statue is a replica and accordingly, contains no truly original work. If true, this would render Davidson’s copyright claim invalid, and the government would owe nothing for its use of the replica statue’s image.

Davidson was therefore tasked with proving that his copyright in the statue was valid, which under US law requires only a showing of “some minimal degree of creativity” and that it was his own “independent creation” of those original elements.

By way of reminder, the focus is on the expression of an original idea and not the idea itself (Oracle Am., Inc. v. Google Inc., 2014). As such, Davidson’s statue did not need to be wholly original, but rather a “new and original expression” of some previous work or idea – namely, the famous Bartholdi statue.

Davidson argued in his lawsuit that he wasn’t trying to create a replica of the original, but rather to craft a fresher, more feminine version. As was later quoted in the ruling, he “envisioned his mother-in-law as inspiration … and viewed her picture every night during the construction of the face of the statue.”

The Court examined photographs and was satisfied that Davidson “succeeded in making the statue his own creation, particularly the face.  A comparison of the two faces unmistakably shows that they are different.” Ultimately, the Court agreed that Davidson’s statue “evokes a softer and more feminine appeal.  The eyes are different, the jaw line is less massive and the whole face is more rounded. “

The USPS’s defense that the stamp fell under the fair use exemption was rejected by the Court. As the USPS printed “billions of copies and selling them to the public as part of a business enterprise … so overwhelmingly favors a finding of infringement that no fair use can be found.”

In case you’re wondering how the USPS – which is a US government agency – can be successfully sued for copyright infringement, 28 U.S.C. § 1498(b) waives sovereign immunity for claims of copyright infringement against the federal government “for the recovery of his reasonable and entire compensation as damages for such infringement.”

California Bar Exam; introduction

California Bar Exam; introduction

I’ve decided to sit the California bar next year! I thought it might be a good idea to keep a written record of my experiences, thoughts, predictions, and study strategy: these posts will be marked by the “California Bar Exam” category tag.

Why become dual-qualified? And why California? Although I’ve lived in London for nearly seven years and am licensed to practice law in England, I’m still an American citizen. I earned my Bachelors’ degree in the USA, and after studying law and politics fully intended to go to law school in the States. My original plans to spend one year in London to do a Masters degree changed when I met my now-husband!

It consider it something special to be qualified to practice law in your “home” jurisdiction. The American Constitution is very much a part of my professional and personal DNA: as I’ve become more and more involved in English and European law (especially in matters concerning media, expression, and privacy) the more interested I am in American jurisprudence.

Maybe it’s the academic in me, but I’m genuinely passionate and curious about legal theory and the practice of law. I also think being dual-qualified will make me a better lawyer, not least because the majority of my clients have some sort of international aspects which routinely touch on US law.

Currently, only a few states allow foreign-qualified lawyers to bypass American law school and sit the bar as “attorney applicants” – New York and California are two of the most popular. For boring administrative reasons* I’m not eligible to sit the bar in New York without doing an LL.M. in the States. California on the other hand only cares about the fact that I’m currently a lawyer in good standing in my home jurisdiction. So California it is!

Even if I was eligible to sit the NY bar, I do honestly think that I’d prefer to do it in California. My practice is focused on media, internet companies, telecoms, creative content, defamation, publicity, and privacy: so many interesting cases on those matters come out of California. Furthermore, I come across contracts subject to Californian law on a weekly basis. It would be great to be able to advise on those contracts, and not need to defer to US counsel! Plus, as a girl originally from the West Coast of the US, I’ve always believed known West Coast, Best Coast. 

There are three key components of the exam process:

1.  The Multi-state Professional Responsibility Exam, or “ethics exam” (MRPE). This exam can be taken in any one of 300 test centers around the USA, and is offered three times each year. I’m taking the exam in November, in New York City. My test results will be “uploaded” to California.

In July 2019, I’ll be off to Los Angeles to sit the California Bar Exam, which occurs over a two-day period:

2.  The California Bar Exam. Day 1 consists of five separate one-hour essays on a variety of legal topics, and one 90-minute practice test in which candidates are expected to work through a series of documents and produce some sort of memorandum or client letter. I’m still trying to figure out which points of California law specifically will be testable.

3.  The Multi-State Bar Exam. Day 2 is the MBE, which consists of 200 multiple-choice questions on seven subjects, based upon principles of common law and Article 2 of the Uniform Commercial Code (covering sales of goods). The questions are not broken down into sections and the seven topics are distributed more or less evenly throughout the exam. Candidates receive three hours during the morning session to complete the first 100 questions, and another three hours during the afternoon session to complete the second 100 questions.

The topics covered are:
• Business Associations
• Civil Procedure – topic on both Day 1 and Day 2
• Community Property
• Constitutional Law – topic on both Day 1 and Day 2
• Contracts – topic on both Day 1 and Day 2
• Criminal Law and Procedure – topic on both Day 1 and Day 2
• Evidence – topic on both Day 1 and Day 2
• Professional Responsibility
• Real Property – topic on both Day 1 and Day 2
• Remedies
• Torts – topic on both Day 1 and Day 2
• Trusts
• Wills and Succession

 

*Why not New York? According to Section 520.6 of the Rules of the Court of Appeals for the Admission of Attorneys and Counselors at Law, foreign lawyers must satisfy certain requirements to be admitted to the New York bar. In addition to passing the bar exam itself, applicants must have a “qualifying degree” that satisfies the educational requirements to practice law in a foreign country.

The normal route in England for aspiring lawyers is to do an undergraduate degree in law: the LL.B. They then do a year of law school (LPC) and two years of clerking (the training contract).

For students who don’t do the LL.B (for example. if they do history or chemistry and later decide to go into law) they can do a one-year “conversion” course known as the Graduate Diploma in Law (GDL) before doing the LPC. This was the route I chose, as – like many others – I did not do an undergraduate degree in law.

Unfortunately, despite being a qualified solicitor in England, the New York State Bar does not recognise the GDL as being a full “qualifying degree.” I can “cure” this by completing a 2-year LL.M. (a Masters’ degree in law) in the USA, but… nah. That’s not happening.

American Copyright law to get 21st century remix

American Copyright law to get 21st century remix

In my previous post, I wrote about the European Union’s sweeping new Directive on Copyright in the Digital Single Market, which is currently in draft stages. But copyright legislation is getting an update on the other side of the pond, too.

Since 1909 — before recordings of music even existed — Section 115 of the Copyright Act has regulated the licencing of musical works. Many songwriters and music publishers have trouble collecting royalties for the use of their songs played via digital streaming services. Amongst other things, the proposed Music Modernisation Act will modernise how compensation for mechanical licenses, which include digital streaming, is determined.

Last week, The United States House Judiciary Committee voted unanimously (32-0) to approve House Bill 4706, “to provide clarity and modernize the licensing system for musical works under section 115 and to ensure fairness in the establishment of certain rates and fees.” More commonly known as the Music Modernization Act (“MMA”), the bill now heads for consideration by the full House of Representatives. The MMA has received wide bipartisan support from Democrats and Republicans alike, and appears to be “on the fast track” for approval.

Importantly, the MMA will create an American agency or “mechanical licensing collective” that would house all music publishers under one roof. It is expected that the agency will have a database of ownership information, which will increase transparency and help identify music creators who are owed royalties.

Once established, the digital streaming services will pay the mechanical licensing collective, which in turn tracks and collects royalties on behalf of the artists. As explained by Committee Chairman Bob Goodlatte (a Republican from Virginia), the MMA “boosts payments for copyright owners and artists by shifting the reasonable costs of a new mechanical licensing collective onto digital music services, who themselves benefit from reduced litigation costs as a result of other provisions in the bill.”

Speaking to ABC news, John Simson noted that Americans “…have a 1909 statue trying to govern 2018 technology, and it doesn’t work.” Mr Simson is a professor at the American University and founding member of Sound Exchange, a non-profit organisation set up to collect and distribute performance royalties.

Intellectual Property Subcommittee Vice Chairman Doug Collins (a Republican from Georgia) noted that “the current music licensing landscape undervalues music creators and under-serves music consumers. Outdated copyright laws have produced unnecessary liabilities and inefficiencies within the music licensing system, and stakeholders across the music industry have called for reform. This bill moves the music industry towards a freer and a fairer market, enabling it to leverage the present and future benefits of the digital age.”

  • The first section of the bill concerns how modern digital music services operate, and will create a “blanket licensing system” to quickly license and pay for musical work copyrights. A key aim includes discouraging lawsuits in favour of simply ensuring that artists and copyright owners are paid in the first place without such litigation (see “No lawsuits over unpaid royalties after 1 January 2018?” below).
  • The second section, “Compensating Legacy Artists for their Songs, Service, and Important Contributions to Society (CLASSICS) Act” will focus on public performance rights for pre-1972 recordings. In particular, musicians with pre-1972 recordings will receive royalty payments when their tracks are played on the radio, online, or on television.
  • The third section, “Allocation for Music Producers (AMP) Act,” will ensure that record producers, sound engineers, and other creative professionals also receive compensation for their work.

No lawsuits over unpaid royalties after 1 January 2018?
Of course, the MMA is not without its detractors who are quick to point out several key issues. Firstly, the bill sets out a broad limitation of liability clause which essentially shuts down any potential lawsuits filed after January 1st 2018. That’s not a typo – Section 2(10)(A), the MMA really does apply a retrospective restriction on legal action.

Without the possibility of litigation, songwriters (and other copyright holders) who have unpaid royalties have one sole and exclusive remedy: they must go through the process set out in the legislation, governed by the dispute resolution committee of the mechanical licensing collective.

And while the mechanical licensing collective created by the MMA will have a board of directors, that board will be comprised of ten music publishers (record labels) together with only four songwriters! Furthermore, as currently written, the MMA provides no grievance process for excluded writers and those who receive unjust treatment. Is this likely to hit the right note with independent artists and smaller record labels?

 

Featured image – Francis Barraud, His Master’s Voice.