Davina Garrod Quoted in The Cybersecurity Law Report on New Privacy Shield for U.S.-EU Data Transfers
Davina Garrod, a partner at Akin Gump and member of the firm’s cybersecurity, privacy and data protection initiative, has been quoted in The Cybersecurity Law Report article “Deal Struck to Maintain the Transatlantic Data Flow.”
Garrod said the so-called “privacy shield” agreement “makes existing cooperation between the FTC and E.U. DPAs [data protection authorities] more robust, with better enforcement mechanisms and means of redress for E.U. citizens whose privacy rights may have been infringed by E.U.-U.S. cross border transfers.” At the same time, however, the shield “does not fix all of the problems identified by the [E.U. Court of Justice]” in a ruling that invalidated the previous safe harbor data transfer pact.
Garrod discussed the new arrangement and the protections it includes. For example, she noted, “companies will commit to participate in arbitration as a matter of last resort to ensure that E.U. individuals can seek legal remedies.” Finalizing the Shield, however, as well as adopting and implementing it, since “the precise text has not yet been made public,” could take months, she said.
Data Protection Authorities of individual E.U. member states (known as the Article 29 Working Party (WP29)), Garrod explained, “will be reviewing the documentation to ensure compliance with their ‘essential guarantees.’” There is a chance,” she pointed out, they will determine “the Shield does not go far enough in terms of protecting E.U. citizens from what they perceive to be the harmful effects of mass U.S. surveillance.”
While the continued grace period on enforcement is not entirely clear, Garrod explained that “some companies may find a gap in compliance until the Shield is finalized, adopted and implemented.” Additionally, authorities “will have different views about bringing enforcement actions in this period and will have limited resources, and may not necessarily have viable complaints before them.” For now, however, she said, “binding corporate rules and model contract clauses already in place are still enforceable in the context of E.U.-U.S. data transfer according to WP29,” which has made clear these methods “can still be used for existing transfer mechanisms.”