1 Mar 2016
Goodbye Safe Harbour, hello Privacy Shield
The European Union and the United States have reached an agreement on international data transfers following last October’s ruling that the Safe Harbor agreement, was invalid. The new data-transfer agreement is called the EU-US Privacy Shield but what's new about it?
The European Union and the United States have reached an agreement on international data transfers following last October’s ruling by the European Court of Justice that Safe Harbor, the 15-year-old pact between the EU and the US, was invalid. The new data-transfer agreement, called 'Privacy Shield' (yep, very Marvel-esque) provides 'a set of robust and enforceable protections for the personal data of EU individuals.' Fine words but I'm no legal or even data expert, so if you're involved in managing and protecting customer data, you can download the full text here to get to the detail.
The summary however, is that transatlantic data transfers will continue as it looks like safeguards, obligations and enforcement have all been beefed up. Whether the bar for actual data protection has got higher, remains to be seen.
Apart from a new, more Marvel-esque name (and a poor Marvel-esque logo), there are some lofty declarations with a hefty amount of noise being generated (mainly from the EU-US working group putting together the details of the new agreement) about how the EU-US Privacy Shield is a 'significant improvement' on Safe Harbor.
For example it will be subject to annual reviews – unlike Safe Harbor; be supported by the work of a 'independent' ombudsman; and the recourse mechanisms for individuals must be independent and provided at no cost to the individual.
This isn't a done deal however. A lot of commentators are saying there's a long way to go yet. For example, in an article in Computer Weekly last month, Phil Lee, data protection partner at European law firm Fieldfisher, cautioned the business sector against getting too excited about the prospect of Safe Harbor 2.0.
"Today's announcement will undoubtedly be welcomed by many. But keeping in mind that this new Safe Harbour will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces” he added.
Others are also pointing out the the EU Data Protection Directive – which informed the Safe Harbor agreement – is soon to be superseded by the EU General Data Protection Regulation, a pan-European law that will harmonise data protection across EU member states. Why does that catch the eye? One of its requirements will be that 'all organisations that collect, process or store information will have to meet the GDPR’s requirements, or face penalties of up to €20 million – or 4% of turnover, which in the case of global Internet companies could be billions.'
Can you imagine? A board meeting where 4% of TURNOVER (not profit) is demanded of Facebook or Google? No, me neither.
So, there's still a long way to go.
- Safe Harbour Safe No More, Tincan Blog, October 2015
- IT Governance article: European Commission announces Safe Harbor replacement: the EU-US Privacy Shield
- European Commission press release: Restoring trust in transatlantic data flows through strong safeguards: European Commission presents EU-U.S. Privacy Shield
- Smart Insights article: EU-US Privacy Shield data privacy deal – full text released
- ComputerWeekly.Com article: EU commissioner sets out challenges of finding a Safe Harbour replacement