Emerging tech companies take note – if you collect the personal data of European citizens from the United States, or otherwise transfer that data to the U.S., recent developments mean your legal obligations may change soon.

Background

Citizens of EU member states have an explicit right to privacy. In practice, this means companies can transfer EU citizens’ personal data out of the EU only if the destination country has an adequate level of protection.

Historically, it has not been a problem to store EU citizen data in the United States. Under an agreement between U.S. and EU regulators, which is often referred to as the “Safe Harbor,” a U.S. company could transfer that data to the U.S. by certifying to the U.S. Department of Commerce that it would adhere to European privacy principles. The U.S. Federal Trade Commission, in turn, could bring enforcement actions against the company if it failed to comply. More than 4,000 companies took advantage of the Safe Harbor to transfer data to the U.S., from Amazon and Google to emerging tech companies in the upper Midwest.

After Edward Snowden revealed that the US government may have indiscriminately conducted mass surveillance of EU citizens’ personal data, an Austrian Facebook user complained to EU authorities that the U.S. lacked adequate protections. On October 6, 2015, the Court of Justice of the European Union ultimately agreed and invalidated the Safe Harbor framework.

Bad Alternatives

The ruling had an immediate impact on businesses of all stripes that relied on the Safe Harbor, particularly emerging tech companies. They were left with a handful of bad alternatives –

keep the data in the EU – potentially expensive or unworkable;
obtain user consent or use model contract provisions – also potentially expensive or unworkable, especially for companies already processing data on behalf of existing business customers with an EU presence; or
leverage binding corporate rules – a time-consuming process ultimately requiring approval of EU data authorities.

Worse still, the Court of Justice of the European Union ruling implicitly called into question some of these alternatives. Recognizing the problem, EU regulators gave themselves and their U.S. counterparts until January 31, 2016 to find an alternative. This set off intense negotiations among regulators.

Privacy Shield

On January 28, 2016 the U.S. Senate Judiciary Committee approved a bill that would allow EU citizens to sue the U.S. government for privacy violations. Just a few days ago, on February 2, the European Commission and the U.S. Department of Commerce announced the outline of a potential Safe Harbor replacement, dubbed the “Privacy Shield.” According to the releases:

U.S. companies will have stronger obligations to protect personal data of EU member state citizens. Among other things, they will be required to comply with the decisions of the EU data protection authorities regarding personnel data.
U.S. companies will remain subject to enforcement actions for privacy violations by the FTC, and EU privacy regulators will have the ability to refer complaints of EU member state citizens to the FTC.
If an EU citizen lodges a complaint regarding inappropriate activity by U.S. authorities, a new Ombudsperson at the U.S. State Department will review it.
Alternative dispute resolution for certain complaints will be made available for free.
The U.S. will commit not to indiscriminately conduct mass surveillance of EU citizens. S. guarantees regarding limits and oversight will be reviewed annually by the European Commission and the U.S. Department of Commerce. U.S. national security agencies will be invited to participate in those reviews.

To Be Determined

The outline lacks many details that will prove vital to providing a meaningful and lasting legal alternative for U.S. technology companies. Important outstanding questions include:

Will free alternative dispute resolution result in an increased number of complaints?
Will U.S. security agencies take up invitations to participate in annual reviews, and will those reviews be meaningful? If not, will the Court of Justice ultimately invalidate the Privacy Shield as it did the Safe Harbor?
Will the Privacy Shield be suspended if EU authorities conclude that the U.S. failed to comply with the Privacy Shield’s limits?
By when will the EU and U.S. finalize these and other Privacy Shield details? EU regulators suggested that final approval could take up to 3 months, but some EU lawmakers and privacy advocates are already arguing the Privacy Shield is not enough.

In The Meantime

While the Privacy Shield winds its way through the EU legislative process, the chair of the group composed of EU data protection agencies said the group will not take enforcement action against U.S. companies that continue to use existing legal alternatives like model contract clauses and binding corporate rules. While these alternatives may be difficult for many emerging technology companies, they currently remain likely the only legal way to collect data from the U.S. of EU citizens or otherwise transfer EU personal data to the U.S.

While almost a decade has passed since the federal Electronic Signatures in Global and National Commerce Act (ESIGN Act) became law, most companies have yet to take advantage of the opportunities that the act affords. Other than online click-wrap license agreements and Internet sales terms and conditions, most companies are still entering into most of their agreements on paper. Having moved beyond faxing in most cases, the norm these days for most businesses is to print, sign, scan, and email the contract. In large or important agreements, companies typically also exchange multiple sets of originals, so that each side (and their legal counsel) have original copies. In most situations, this elaborate process is unnecessary. For a variety of reasons, we often encourage clients to go paperless with their contracts when appropriate.

Software and Internet Services that Assist with Electronic Contracts

There is some encouraging news that going paperless in the contracting process may become more prevalent. Adobe recently released a free beta version of its online eSignatures software-as-a-service (SaaS). The SaaS offering is easy to use and may spur more adoption of e-signature technology. Low cost competitive products from DocuSign, Arx, and AlphaTrust are also worthy of consideration. These and other e-signature vendor products offer the following benefits:

E-signatures speed up the contracting process. The extra steps of printing for signature, scanning, preparing a cover letter/fax, and mailing/faxing are removed.
E-signature service can be accessed virtually anywhere. All that the parties need is a computer with an Internet connection. No need for the traveling executive to find a printer and scanner/fax or have the hotel staff print the document, prepare a coversheet and fax the signed document back.
Electronic contracting saves paper. There is no need to print the agreement, so it supports the virtually paperless office, such as ours.

In addition, traditional concerns over security have mostly been allayed. The e-signature vendors typically offer one or more security measures to authenticate the sender and verify that the document has not changed since it was signed. Many e-signature vendor offerings are SAS 70 Type II compliant and upload and download over an SSL encrypted channel. Audit trails show when and by whom documents were sent, viewed, and signed. After signing and downloading, with most of the products, the party sending the contract typically has the ability to delete the electronic contract from the cloud.

Laws Related to Electronic Contracts

Numerous laws in the United States and abroad recognize the legitimacy of electronic signatures. The federal ESIGN Act and Uniform Electronic Transactions Act (UETA) serve to establish generally the legal equivalence of electronic records and signatures with paper writings and manually-signed signatures, removing barriers to electronic commerce. Forty-seven states have adopted the UETA, a model law for states to enact to cover contracts governed by state law; the remaining states, New York, Illinois, and Washington, have each adopted their own statutes governing electronic transactions. Under the UETA, an electronic signature is attributable to a person if it was the act of the person, which can be shown by the effectiveness of the security procedures for signature authentication and the context and surrounding circumstances at the time of the document’s creation. No one can be required to use a digital signature or to accept a digital signature. Besides the United States, the European Union has adopted the Electronic Signature Directive (1999/93/EC) and numerous countries have adopted electronic signature laws.

How Electronic Signatures Work

These are the basic steps to send a document for signature using an electronic signature solution. The initiator sets up a password-protected account, uploads a document, types the email addresses of the recipients, composes a short cover note (if desired), clicks to sign (or chooses to sign last), and sends. Recipients receive an email with the customized message and a link to a document to sign. Recipients are not required to pay to use the electronic signature service, but they may need to set up an account. After completing any required authentication checks, they click on the link, review the document, and click to sign and send. After the document is fully signed, all parties receive an email with a link to the document with digital signature stamps from each signing party. In the case of Adobe’s eSignatures SaaS offering, Adobe will apply a certifying signature, appearing as a blue ribbon, indicating that the document has not changed since it was signed.

Additional E-Signature-Based Offerings that Facilitate the Electronic Contracting Process

E-signature vendors with low-cost software or services offer many of the following additional features (some of which Adobe may incorporate into later versions):

Signatures in multiple places and on specific lines (whereas Adobe’s eSignatures SaaS offering just appends a signature page to the end with all the electronic signatures)
Fill-in-the-blank forms and agreements, guiding receiving parties through the document with signature flags, initial flags, and instructions, and preventing a party from signing a document with an incomplete blank
Ability to compare the signed document to the encrypted hash captured at document signing to confirm that the signature is valid and the document has not been modified (whereas Adobe’s blue ribbon indication is immediate)
Signing parties other than the sender do not need to subscribe to the service (free)
Folders to deliver multiple documents in logical groups
Workflow processes for internal approvals
Access via mobile devices
Optional multi-layered authentication, such as passwords, ID checks administered by third parties with questions from public and private databases, security fobs, etc.
Integration with business enterprise software
Server-based as well as hosted solutions
Custom branding and instructions
Optional behind-the-scenes digital signature cryptology

Using Digital Signatures for Additional Security

A subset of electronic signatures, digital signatures provide more checks to ensure security, but more time and cost can be involved in administering them. Digital signature technology can also be used to control who has access to a document or who can sign or certify it. Digital signature technology is the gold standard of security in terms of validating the authenticity of the signature and preserving the integrity of the document. This is due to the secure method of locking and unlocking the signatures on the document. A digital signature, also known as a digital ID, requires a private key of the signer and a public key for the receiving party to validate the signature. Many large organizations implement a public key infrastructure to issue, authenticate, and revoke digital IDs used for digitally signing documents. Most receiving parties require that a certificate authority, such as VeriSign or GlobalSign, validate the authenticity of the public key. There are fees in the hundreds to thousands associated with using a Certificate Authority. While it is not difficult to establish a digital ID or validate another party’s digital IDs, some education and administration is involved.

When to Use Handwritten Signatures vs. Electronic Signatures on Contracts

Although electronic signatures are in most cases recognized as being equally valid as handwritten signatures, there are occasions when handwritten signatures may be more appropriate. When doing a substantial deal with a party in a more formalistic country, such as Japan, China, Spain, and Italy, a personal signing ceremony can be a culturally sensitive choice. Parties might also prefer to sign in person or exchange wet ink signatures when stakes are high or emotions run deep, as with the sale of a business. In addition, under law, there are certain types of agreements that cannot validly be signed electronically. For example, in many places, wills, testamentary trusts, family law documents, and U.C.C. documents must be signed by hand. If in doubt as to whether a contract may validly be signed electronically, check with your attorney first. Also, government regulators in some highly regulated industries such as pharmaceutical and financial services regard the use of digital signature technology favorably for regulatory and legal compliance.

Just as signing and emailing documents became prevalent with widespread adoption of PDF files and improvements in scanners, so, too, are electronic signatures likely to become more mainstream as people discover the increasing efficiency and security of e-signature technology.

Tag / e-commerce lawyer

Got EU Data?