Dr Sachiko Scheuing, European privacy officer at Acxiom and co-chair of FEDMA, advises computing.com on the new EU-US Privacy Shield
The European Union’s recent decision to approve Privacy Shield, also known as Safe Harbour 2.0, was rolled out to relatively little fanfare in early July, and certification has now opened with the US Department of Commerce.
This is welcome news, given the scale of data flows between the US and the EU, and it has been agreed that the current framework will run unchallenged for a year, up until its first review in 2017. But for EU businesses, what are the main things they need to know?
Designed to meet the new requirements of EU law, Privacy Shield effectively upgrades the privacy protection that was afforded by the now defunct Safe Harbour regime. It should give EU consumers greater peace of mind that their personal details are better protected when sent to, and stored on, US servers. It also formalises a system of appeal and complaints should EU citizens believe their data has been compromised or spied on.
One crucial part of the new regime is this: it will be reviewed on an annual basis, to ensure it stays effective and up-to-date, taking into account the latest technologies. While the Privacy Shield has already encountered criticism in some corners this system of continual oversight and review should ensure the regime continues to work.
Following the EU referendum in the UK, there has been much speculation about the future of the GDPR and Privacy Shield – both agreed this year – for the UK and British businesses, especially given the UK’s aspirations to continue to grow its digital economy.
The UK will be able to use the Privacy Shield at least until it exits the European Union; it seems likely that if the UK does comply with the result of its referendum, a similar regime will need to be agreed with the US to protect UK citizens.
In the run-up to Brexit, the UK is likely to see whether both the GDPR and the Privacy Shield could be improved upon. It is also possible that the UK might agree its own form of Privacy Shield with the remaining EU countries in case they deem the UK’s privacy laws inadequate.
Privacy Shield puts much more onus on the companies transferring the information and holds them accountable if the Shield is ‘penetrated’. While it further restricts the US government’s ability to access the information of EU citizens on US computers, and to conduct ‘mass surveillance’, businesses who fail to safeguard EU citizens’ personal information and leave it open to abuse will receive sanctions.
This could potentially affect UK and EU organisations, large and small, as their customer information can pass through US-based payment processing systems, cloud storage providers, web hosting providers and anyone sharing data with third-party processing businesses in the US. Effectively, anyone concerned will need to check their supplier details to make sure they are adequately aware of any potential transfers.
Ultimately, Privacy Shield provides a much-needed upgrade to the previous Safe Harbour agreement, and it means that the transatlantic flow of information from EU citizens can continue in a safe and compliant way, while protecting individual rights to privacy.
Privacy Shield will require companies to review privacy processes in their organisation, such as privacy policies, opt-out/opt-in mechanisms, and third-party contracts. It not only protects brands and business-to-consumer relationships, but also helps the US companies applying for the new scheme be more accountable for data protection.
