Anyone who markets to countries in the European Union (and so is transferring data from the EU to the United States) knows that the Safe Harbor program has been made null and void. You probably also know that most businesses can provide Model Clause contracts for companies who are concerned with cross-border data transfers. These are standard contractual clauses that the European Commission has said “provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.”
The shorthand is that these clauses are an adequate method to ensure compliance. But they fall short of the broad umbrella that’s needed: a framework to bridge the differences between various countries’ approaches to privacy, and provide a streamlined means for U.S. organizations to comply with EU data protection laws.
Everyone is in agreement that privacy is good for business. The Safe Harbor program served us well in the pre-digital market, but it’s time to move on.
So: what’s next to replace Safe Harbor? Ladies and gents, let’s get ready for the upcoming Privacy Shield (not to be confused with superheroes and the like, who actually carry shields).
In April 2016, the new EU General Data Protection Regulation (“GDPR”) became law in the European Union, replacing existing EU and national data protection laws. This is a set of laws to standardize privacy and data protection intra-EU, and it’s intended to take effect in 2018. (Read about the GDPR and Brexit)
The Privacy Shield is the proposed new legal framework for transatlantic data flows. It’s designed to reestablish a legal framework for EU–U.S. data flows. Like Safe Harbor, Privacy Shield is a joint effort between the U.S. Department of Commerce and the European Commission.
Here’s an overview:
While the decision on the Privacy Shield is currently being reviewed by the European Commission and a decision is due in July, the expectation that, if passed, the agreement will more than likely face a higher court ruling challenge at the Court of Justice of the European Union.
Which means there will be a delay in adopting the shield. Does this sound a little like “Groundhog Day”?
A few highlights of Privacy Shield:
EU citizens will have the abilities to “complain” directly against a U.S. Privacy Shield participant, with a mandatory 45-day response window for resolution.
U.S. Government access:
If you recall, one of the sticking points that led to the demise of Safe Harbor was the small incident of Edward Snowden and the U.S. Government’s monitoring activities. So with the Shield in place, the United States has agreed to provide clear limitations, safeguards, and oversight mechanisms to our EU partners.
The Privacy Shield allows for U.S. companies to report the number of access requests they receive from the government, and an independent ombudsman will be able to handle and investigate individual complaints.
The Federal Trade Commission and the Federal Communications Commission have committed to monitor and enforce more robustly and cooperate more with the EU DPAs (data protection agencies). There will also be a joint annual monitoring of the effectiveness of the Privacy Shield and an annual report to the European Commission and the EU parliament.
Both skepticism and support for the Privacy Shield have been well-documented. I think we will get to some common ground on the agreement, but it will take some time.
My prediction* is that we have more chance of England winning the Euro 2016 tournament than the Privacy Shield becoming effective in 2016.
So what’s a privacy-committed organization to do in the meantime?
Until we get the Shield in place, Model Contracts and Binding Corporate Rules are still a legally acceptable form of transfer. (That’s what Act-On does.) As always, we’re offering a point of view here. You will need to seek a legal opinion on any compliance or regulatory issue that may affect your business.
We will be communicating updates as we get them on all things Shield-related.
*England out in the semis.