Privacy Shield

The EU and US have agreed a new pact to replace the data transfer mechanism called Safe Harbour that was declared invalid late last year. It is hoped that the new pact, called Privacy Shield, will make it easy for organisations to transfer data across the Atlantic, countering the threat that tech firms of all sizes have been facing which would have made it impossible to send personal information for processing in US data centres.

[easy-tweet tweet=”The EU/US #PrivacyShield announcement analysed by @APJ12 of @GTTCOMM” user=”comparethecloud”]

Question: How many lawyers does it take to overturn a 15 year EU-US privacy arrangement?

Answer: None.

Max Schrems wasn’t a qualified lawyer. He was just a student from Austria studying law during a semester abroad at Santa Clara University in Silicon Valley when he started a campaign against Facebook for privacy violations, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) that eventually lead to the downfall of the whole EU-US data transfer mechanism called Safe Harbour.

Ever since Safe Harbour was overturned, businesses have been seeking a quick and clear resolution. They have been encouraging the European Commission and US administration to move quickly to agree and implement a new arrangement that would allow trans-Atlantic data flows to resume on a secure and stable legal footing.

[easy-tweet tweet=”Ever since #SafeHarbour was overturned, businesses have been seeking a quick and clear resolution”]

International data transfers not only enable global trade, but are also central to many companies’ ability to collaborate and operate both internally and with the partners and clients that they serve.

The delay in negotiating a replacement for the previous, but now defunct, EU-US data transfer mechanism has left firms in limbo without a safe legal footing for such data transfers which are seen as critical to the global digital economy.

The new agreement is called the EU-US Privacy Shield and it includes the following provisions:

• A US ombudsman will be created to handle complaints from EU citizens relating to any allegations of Americans spying on their data.
• A written commitment protecting Europeans’ personal data from mass surveillance will be provided by the US Office of the Director of National Intelligence.
• An annual review conducted by the EU and US will ensure the new system is working properly

A written commitment protecting Europeans’ personal data from mass surveillance will be provided by the US Office of the Director of National Intelligence

A host of bodies including the European data privacy watchdogs, their US counterpart and the Federal Trade Commission will monitor arrangements and flag up any problems.

Companies that are found to abuse or fail to comply with privacy safeguards could be prevented from making use of the trans-Atlantic data transfer arrangements.

So that’s easy then – it’s all sorted. As ever things aren’t quite as simple as this. A few significant hurdles remain:

• Approval – national watchdogs across the EU are now exempting the provisions outlined in the pact and all 28 EU nations then need to approve the arrangements.
• Opposition – many privacy campaigners remain adamantly opposed to any pact that might allow trans-Atlantic data flows to continue and some have vowed to do all that they can to combat the EU-US Privacy Shield.
• Implementation – firms will then need clarity on what is expected from them in order to comply with the new privacy safeguards so that any changes to their systems and processes can be implemented effectively.

So while the clarity and certainty in international data privacy regulation that businesses are crying out for is not quite here yet, we do at least have an indication of the likely provisions. There has already been significant progress towards finding a replacement data transfer mechanism for Safe Harbour and we now need to complete the approval process and make it work.