So just what is the EU-US Privacy Shield and how will it impact your business, especially after the UK leaves the EU?
The EU has long struggled to protect its citizens’ data stored in the United States by large transatlantic corporations such as Apple, Google and Facebook. In October 2015, the European Court of Justice (EUCJ) deemed invalid the ‘Safe Harbor’ agreement, a data protection agreement that had stood since 2000 and set out how US-based organizations could use EU citizens’ data.
The Edward Snowden revelations into how the US government allegedly accessed personal data undermined that agreement and something stronger was required. The European Commission stated; “it is crucial to conclude the discussions with our US counterparts on a renewed framework for transatlantic data flows with a higher level of protection. This is important for transatlantic commercial relations and for our citizens.”
The result is the EU-US Privacy Shield, which not only aims to limit the US government’s access to EU citizens’ data stored in the US but will also allow them to seek neutral arbitration in case of misuse.
About the EU-US Privacy Shield
The transatlantic agreement is based on the following principles:
- Strong obligations on companies handling data: The US Department of Commerce will check regularly that participating organizations are complying with the rules
- Clear safeguards and transparency obligations on US government access: The US has ruled out mass data surveillance on data transferred to the country under the EU-US Privacy Shield and data collection can only be used under specific preconditions
- Effective protection of individual rights: EU citizens who consider their data misused will have dispute resolution options open to them, including arbitration independent of the US intelligence services
- Annual joint review mechanism: Bodies from both the EU and US will monitor the effectiveness of the Privacy Shield scheme on an on-going basis to assess its functionality
How does the EU-US Privacy Shield affect your business?
In a globalized electronic trading environment it is highly likely that corporate data will find its way onto US servers. Whereas under Safe Harbor, US companies could self-certify that they would protect EU citizens’ data when it was transferred to American data centers, the EU-US Privacy Shield will add new layers of protection designed to support the data integrity of citizens and businesses alike.
If your company uses cloud services based in US data centers, those hosts will need to adhere to EU-US Privacy Shield requirements. Some commentators suggest that European companies may well switch to European cloud service providers just to be sure, and that encryption is one way to add an extra level of protection.
Given this is an EU-US agreement, what impact would leaving the European Union have on British companies, as and when the time comes?
Lynn Collier, COO at Hitachi Data Systems UK, believes that the UK needs to decide whether it will adopt similar data protection laws when it leaves the EU, and that either way companies need to plan now for any eventuality.
Writing in Computing magazine, Collier advises: “To prevent this British consumers and businesses should begin making contingency plans to determine the path to compliance and to ensure their personal data and the data they look after is fully protected, regardless of the implications from Brexit.”
So the lesson from the experts is to plan now to secure your corporate data in the future. For a deeper look at the EU-U.S. Privacy Shield, have a look at the European Commission’s Q&A on the topic.