After a European Union court
outlawed the Safe Harbour laws last year, the EU and United States have been scrambling to put a new system in place. On
Tuesday February 2, EU and US negotiators reached an agreement regarding the transfer of personal data across the Atlantic. Many major US corporations such as Google, Amazon, and Facebook have been hanging in the balance waiting for these two players to come to some kind of agreement over how data transfers should be handled moving forward.
The new system is being called ‘Privacy Shield’ and will replace the Safe Harbour rules. The agreement will still require political approval, but it is definitely the step forward that was needed to get things moving on this issue. The current plan is for a joint review of the agreement to be held on an annual basis.
The new agreement places stronger obligations on US companies to protect the personal information of European citizens and build stronger monitoring and enforcement mechanisms within the US. The US intends to create an ombudsman within the US State Department, which will deal with complaints and any enquiries raised by EU data protection agencies. The parties will also be creating an alternative dispute resolution system that will be used to solve grievances.
In case that wasn’t enough protection for Europeans, the EU data protection agencies will also work with the Federal Trade Commission (FTC) to police the whole system. The EU Commission claims that this is the first time the US has provided them with written assurances regarding the safeguards and limitations available within the US surveillance program, so the EU is ensuring they have all of their bases covered.
Many lobbying groups on both sides of the Atlantic seem quite happy with the terms of the agreement and hope it will bring positive changes to the current system for the transfer of personal data. Some of these groups include The Information Technology Industry Council, Paris-based International Chamber of Commerce, and BusinessEurope.
Not everyone is seeing the new agreement as a positive though. Max Schrems, the Austrian law student who sued Facebook in Ireland, resulting in the destruction of the Safe Harbour rules, is doubtful the new pact will provide the necessary protection for European personal information. Along with Schrems, other organizations are also suggesting that the new system will be flawed and appears to only be a Band-Aid fix, rather than an actual solution.
What seems to be the biggest problem is the uncertainty that still exists surrounding what Privacy Shield entails. The details seem foggy at best and haven’t been fully released as of yet. There is also concern surrounding whether or not companies that are currently using the Safe Harbour system can and will be prosecuted in Europe. Some EU nations’ data protection agencies are suggesting they will wait for the final word on Privacy Shield before commencing any further investigations and pressing charges, recognizing that it can take time to put a new system in place. Other nations are taking the opposite stance, holding that since the court order late last year, any company still using the Safe Harbour system is breaking the law and thus susceptible to prosecution.
There are other data transfer systems available to companies, including binding corporate rules (BCRs) or the standard contract clauses (SCCs). Unfortunately, these systems are complex and legally burdensome, requiring a large amount of time and resources to implement. So, while the larger corporations such as Google or Amazon could take this route, it isn’t necessarily available to the smaller companies that conduct business in Europe.
The free flow of data between the EU and the US is critical, so it was necessary for the two parties to find a solution fast. Cross-Atlantic data transfers are used daily in a large variety of industries. Transfers can range from sharing of employee information to the transfer of credit card, travel, or other data needed for the purchase of consumer goods.
Whether the new agreement will only be a Band-Aid that temporarily stops the bleeding, or the solution we have been waiting for, only time will tell. But for now, it is a step that allows US companies to get out of their current limbo and move forward with less concern about potential legal ramifications because there is, or will be, a new system in place.
For more information regarding the new agreement and what it could mean to you and your business if you conduct transactions in Europe and allow for the flow of personal information contact Revision Legal’s Internet attorneys through the form on this page or by calling 855-473-8474.
Image credit: Flickr user OpenDemocracy