the proof of the pudding, what you need to know about privacy shield

Privacy Shield is replacing Safe Harbor, or more accurately, its filling the gap Safe Harbor left behind.  What does this mean for your company?

Erh, Safe Harbor?

If you are familiar with the painful downfall of Safe Harbor, you can skip this first part. For those who need a bit of a refresher, here’s a two penny summary.

Safe Harbor was a framework agreement between the EU and the US that was supposed to ensure the protection of EU personal data in the US, and facilitate data transfer from the EU to the US. US companies could Safe Harbor-certify and subsequently data could be legally transferred from the EU to the US.

It’s safe to say that the Safe Harbor framework was largely based on trust. Trust in US companies self-certifying under Safe Harbor and the US government enforcing it. So when the news came out that the NSA was snooping through data of EU citizens, requesting access and secret back doors into the systems of Safe Harbor certified companies, some parties to the Safe Harbor romance were not amused.

“Now that, was not what was agreed” said Max Schrems, an Austrian student with a Facebook account. He challenged Facebook in court for sending his data to the US, and won. Facebook was Safe Harbor certified but the European Court of Justice agreed with Schrems, that the US (and subsequently Facebook) was not providing adequate protection for Schrems’ personal data. Goodbye Safe Harbor.

With Safe Harbor out the Window, Atlantic data transfers relying on Safe Harbor became illegal, instantly. Data Protection Authorities all over Europe were rubbing their hands and sharpening their teeth. In Q4 2015 they gave the EU and US Commissioners an ultimatum of less than 4 months to fix the situation. In the meantime, many companies were quick to adopt other measures to legalize their trans-atlantic data transfers, such as Binding Corporate Rules and Standard Contractual Clauses (BCR and SCC).

Hello, … Privacy Shield? …  hellooo!?

On February 2nd 2016, the new framework for trans-Atlantic data transfers “Privacy Shield” was presented. Just 2 days after the deadline set by the working party of the combined EU Data Protection Authorities (the WP29).

Brilliant! You might think, so where can we find this agreement and get on with it? Ah, not so quick, the agreement does not really exist, yet. What was presented as “The new agreement” is really just a list of key elements of an agreement, which will have to be (re)formulated in more detail over the next couple of months.

Key Elements

Here are the key elements presented as the Privacy Shield:

more stringent rules for US companies handling EU personal data. The US Government will now actively monitor compliance with the Privacy Shield provisions;
clear limitations for the US authorities to access EU personal data, enforced by safeguards and oversight mechanisms. This means that EU citizens will be afforded a way to challenge the use of their data by US authorities. A novelty is that the US and EU will evaluate this new mechanism annually; and
Easy redress for EU citizens who believe their data have been misused via an especially appointed US ombudsman.

All cleared up?

The one million dollar question that is on everybody’s mind is if this Privacy Shield will put an end to uncertainty. The answer is, we don’t know. The WP29 have announced that for now, they will not undertake enforcement actions against companies that have switched to alternative methods of data transfer such as BCR’s and SCC’s. Once they’ve had the time to review the new Privacy Shield documentation, they will give an overall assessment and statement of validity on all data transfer methods, the Privacy Shield, BCRs and SCCs included. In other words, what we’ve heard until now are just words from the European Commission. The proof of the pudding is in the eating.

What to do

Adopt acceptable data transfer Mechanisms. If your company transfers data from the EU to the US, and you haven’t already adopted one of the mechanisms that the WP29 seem to accept for now (BCR’s or SCC’s) we advise you to adopt such measures. This won’t give absolute certainty that what you’re doing will be considered legal in the future. But until further notice, this should keep the DPA foxes out of your data-henhouse.

Keep an eye on future developments. It will take a while before the final draft of the Privacy Shield agreement is agreed. The Commissioners on both sides are optimistic on a timeline of a couple of months. However, with the US elections underway, and uncertainty as to how the next administration will receive this agreement, some commentators have warned that its way too early to start celebrating yet. Once the final agreement is in place, the position of the DPA’s as to what is accepted and what not, may change, and you may have to change your game with it.

Helena Verhagen, Privacy Valley