There’s a new framework for creating greater data privacy between the United States and the European Union. While it’s taken two years of work, some would argue little has changed and that it’s likely to get struck down — others laud the progress. Let’s get clarity on what that means for businesses leveraging data “across the pond.”
Transatlantic Data Privacy Is Dead. Long Live Transatlantic Data Privacy.
First there was SafeHarbor, the European Union-United States agreement to protect data privacy of users in Europe as that data pulsed across the Internet and into the United States. It was arguably a historic step, but it ultimately was struck down and eliminated. Many questioned its value beyond being “a step.” It has now been replaced by the “EU-U.S. Privacy Shield,” which imposes greater obligations on U.S. businesses to protect Europeans’ personal data.
The Privacy Shield Agreement establishes a whole new set of legal requirements by the E.C.J. the European Court of Justice, which also ruled the previous Safe Harbour framework invalid.
What Is the Privacy Shield?
First and foremost, the Privacy Shield is opt-in. If your business doesn’t opt-in, you don’t have to abide by it. The downside, you won’t be published on the “list” of Privacy Shield Compliant companies. European consumers could refuse to do business with you, and it could become a media problem — though, the average consumer probably doesn’t know the ins and outs of data privacy. So its success will, in part, rely on its adoption. If it is not adopted widely, we can expect additional regulations to compel organizations exporting data from the E.U. to meet the objectives of the Privacy Shield.
Most importantly however, the Privacy Shield includes, for the first time, written commitments and assurance regarding access to data by public authorities. For the first time, the United States has given written assurances that it will not conduct mass surveillance of data entering the U.S.
The new Privacy Shield agreement requires the U.S. to “monitor and enforce” more aggressively. Also, new and greater collaboration with the E.D.P.A., the European Data Protection Authorities, is required by the United States.
The goals of both the original Safe Harbor Agreement and the new Privacy Shield are quite similar. Businesses must treat data created in the E.U. in accordance with E.U. law, regardless of whether that data is physically stored on a server in New York or Paris.
So how do companies accomplish this? The answer is by basically stating “yes, we meet the E.U. standards.” So not much has changed between Safe Harbor and Privacy Shield here.
How Do the Safeguards in the Privacy Shield Work?
However new safeguards help enforce that both companies and governments abide by the Privacy Shield’s requirements:
- The first difference is a real one … it now falls on the shoulders of the U.S. Department of Commerce to make sure that companies meet the more stringent data privacy requirements. The Department of Commerce will monitor whether companies publish their commitments, which makes them enforceable under U.S. law by the U.S. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Second, if your data originates from the European Union ― and you don’t have to be a European (the U.K. is still covered post “Brexit”) ― you can complain if you feel your privacy rights were violated. Those complaints will now be sent to the U.S. and must be addressed “expeditiously” and at “no cost to the individual.”
- In the agreement, the United States “ruled out indiscriminate mass surveillance on personal data transferred to the U.S.” Furthermore, the U.S. promises in writing that mass collection of data originating from the E.U. will “only be used under specific pre-conditions and needs to be as targeted and focused as possible.”
- An ombudsperson will now handle complaints about data that is accessed on “national security grounds” — they are tasked with working independently of all other federal security agencies, which is a significant commitment for the United States, given our recent history and experiences under the Patriot Act.
Implementation for U.S. Firms in Simple Terms
At this juncture there are still details being worked out in the Privacy Shield Framework, but the following are fairly clear steps:
- Self-certify annually that they meet the requirements
- Reply promptly to any complaints.
Some might call all this common sense, some may call it non-sense. But Data Privacy is an issue that we have to give credit for addressing, and leveraging the learnings from the judgement striking it down.
We recommend businesses leveraging personal data, whether exporting from the E.U. or solely using it domestically, exercise some simple, common-sense steps that are consistent with the Privacy Shield:
- Listen to your customer
- Have a clear and simple statement on how you will use consumer data – and how you won’t.
These simple steps can get you started; and for sure, there will be more to come in regard to data privacy.