In July, the long-awaited EU-US Privacy Shield came into effect. Already, the measure is proving controversial among transatlantic businesses, with some EU firms (and governments) finding the measure too little, too late.
End of Safe Harbour
The Safe Harbour Privacy Principles, drawn up by the EU and the United States at the turn of the millennium, were designed to overcome issues created by the EU’s Data Protection Directive, which outlawed the transfer of personal data from within the EU to ‘third party’ countries elsewhere. As the internet was already making obsolete geographic barriers to data transfer, and with the US leading the way in the growth of web-based services, Safe Harbour was a mechanism to ensure that the United States was not treated like a ‘third party’.
US-based businesses were able to self-certify that they complied with the main principles of the Data Protection Directive, enabling them to process data relating to EU citizens on an equal footing with their Europe-based counterparts. However, in October 2015, following a complaint from a Facebook user that his personal data held on US servers was insufficiently protected, the European Court of Justice declared Safe Harbour invalid.
Intervening months have seen frantic activity by businesses and governments, with major US data processors like Amazon and Box expanding their European data centre operations, while EU and US authorities have worked to implement a new framework for transatlantic data flows.
Rise of Privacy Shield
The result is the EU-US Privacy Shield, ratified by the EU on July 12th and in force since August 1st, with US companies being told to sign up if they wish to continue to working with EU data on US soil.
The European Parliament recognises Privacy Shield is an improvement on Safe Harbour but finds it wanting in certain areas. Points of concern include the function of a proposed US data ombudsman, the length of time that data is held for, and the power of European citizens to seek redress against US businesses in the event of a breach.
In an attempt to offer stability, the EU has agreed not to challenge Privacy Shield for at least twelve months. This is not likely to stop privacy activists protesting the agreement in the courts, however.
Meanwhile, European businesses should be taking data protection issues even more seriously following the EU’s adoption of the General Data Protection Regulation (GDPR) – essentially a beefed-up version of the Data Protection Directive which it replaces. The GDPR, which will apply from May 2018, goes as far as setting out clear sanctions for data privacy leaks by EU businesses within EU borders, including a maximum fine of €20M or 4% of annual turnover (whichever is higher) for a data breach.
US businesses take note: as European organisations gear up to meet these stringent EU requirements, they are likely to expect a lot more from their stateside suppliers and data handlers, seeking a level of protection and assurance which exceeds that set out in Privacy Shield.
There are several measures US businesses can take to satisfy EU customers. The first is to relocate selected data processing resources to Europe and use this for EU data. US businesses already using cloud hosting, such as Amazon’s AWS or Microsoft’s Azure, are one step ahead in this respect: these providers already have data centres in the EU. However, the EU operations of US business that choose this route will have to comply with GDPR.
Another option to mitigate risk is to include certain model clauses in any data exchange agreements drawn up with European clients. Clauses show good faith by the supplier in attempting to meet the expectations of regulators, and were used as a fall back by some businesses between the demise of Safe Harbour and the launch of Privacy Shield. The standard wording for these clauses - of which there are three types, depending on the nature of the data processing – should not be changed, but they could be augmented with additional safeguards to put European clients’ minds at ease.
A final option is to use Binding Corporate Rules (BCRs), which serve a similar purpose to the model clauses, but do not provide standard wording. BCRs, therefore, have to be approved by a lead data protection agency, usually in the country where the European operations are based. The advantage of BCRs is that they offer a measure of flexibility should the scale or nature of the data exchanges evolve in the future.
Ultimately, US companies need to provide maximum peace-of-mind for EU businesses, and customers, when handling their data. The best way to achieve this is to align data privacy policies with those of the European customers they wish to serve. Those US businesses that raise the bar of their privacy efforts and adopt a ‘more than minimum’ approach may find a measure of competitive advantage in the European market.