An update on the announcement of the new 'Privacy Shield' which means that transatlantic data transfers could be suspended
Importance: (For International marketers and customer data managers)
Recommended source: EU Press release rejecting the Privacy Shield
31 May 2016 update: Just when it looked like the EU and US were starting to see eye to eye on privacy, or at least the need for a deal, things changed and suddenly the deal is looking less likely. Yesterday Giovanni Buttarelli, the European data protection supervisor, said in a press release that the new privacy shield is "not robust enough" and needed significant improvements.
You can read his comments from his press release below:
"I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court. Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue."
Mr Buttarelli's comments do not mean the privacy shield is scrapped by default, but they may influence events. The deal was due to be ratified by the European parliament in June, but this date now looks almost certain to be extended. Mr Buttarelli is an official advisor to the parliament, so he will be able to set out his concerns and may convince legislators to pull the plug on the deal.
1st March 2016 update: The EU and US have now released the full text of their data-transfer agreement, called 'Privacy Shield'. In their own words, the text 'provides a set of robust and enforceable protections for the personal data of EU individuals.' If you're involved in managing and protecting customer data, you can download the full text here. If you just want an overview of the key points, see the brief on the protections the privacy shield provides:
- Requiring additional information be provided to individuals in the Notice Principle, including a declaration of the organization's participation in the Privacy Shield, a statement of the individual's right to access personal data, and the identification of the relevant independent dispute resolution body;
- Strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party controller by requiring the parties to enter into a contract that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles;
- Strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party agent, including by requiring a Privacy Shield organization to: take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request;
- Providing that a Privacy Shield organization is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf, and that the Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage;
- Clarifying that Privacy Shield organizations must limit personal information to the information that is relevant for the purposes of processing;
- Requiring an organization to annually certify with the Department its commitment to apply the Principles to information it received while it participated in the Privacy Shield if it leaves the Privacy Shield and chooses to keep such data;
- Requiring that independent recourse mechanisms be provided at no cost to the individual;
- Requiring organizations and their selected independent recourse mechanisms to respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield;
- Requiring organizations to respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department; and
- Requiring a Privacy Shield organization to make public any relevant Privacy Shield related sections of any compliance or assessment report submitted to the FTC if it becomes subject to an FTC or court order based on non-compliance.
Our original coverage of the Privacy Shield announcement in February 2016
In a surprise move, which few predicted, the EU and US have hammered out a replacement to the safe harbour agreement, to facilitate transatlantic data transfers. The announcement came late yesterday at an unscheduled press conference. Few expected it. Even fewer thought it would come so soon.
The Safe Harbour data agreement used to facilitate data transfers between the US and Europe for 15 years. It basically was an agreement by the two powers that the other had good enough data privacy laws so it was acceptable to transfer data relating to their citizens.
Safe Harbour was effectively sunk when revelations of mass surveillance by the US government caused the EU to declare that the US protections weren’t strict enough and so ruled the agreement invalid.
This suddenly meant US companies couldn’t take data on EU customers outside of the EU’s borders. There was a grace period as stopping data transfers instantly would mean the sudden shut down of lots of online services. Imagine if Facebook, Twitter, Microsoft and hundreds more services from US-based companies could no longer be accessed from within the EU. However, it meant US companies would have to build data centres within the EU and comply with all EU regulations in order to be able to collect user data. Stopping EU-Data transfers would have meant huge costs for a large number of online businesses and would have been a disadvantage for both businesses as consumers.
Why is the announcement a surprise?
If banning EU-US data transfers was going to be such a bad thing, why has it come as a surprise that an agreement has been reached?
Expectations for the negotiations were low. Negotiators missed the deadline of the 31st of Jan for coming to an arrangement, and when they announced their failure to reach an agreement on the 1st of Feb, most commentators wrote off the deal, thinking it had failed.
Apparently the delegates worked day and night to reach the surprise deal, which essentially brings back a renewed version of safe harbour, although it has been rebranded as the ‘EU-US privacy shield’.
To reach the agreement the US had to agree to ‘binding assurances’ that national security measures would be subject to clear limitations and oversight mechanisms. Indiscriminate mass surveillance of European’s data has been ruled out by these guarantees. The ‘privacy shield’ will come into effect in 3 months, provided it receives the needed approvals. This is great news for marketers using transatlantic data transfers, as these are no longer under threat (provided the agreement receives all the necessary approvals). Businesses will have to abide by the terms of the privacy shield regarding the safe keeping of data, and if they don’t comply they will face sanctions and fines.
Stay tuned to the Smart Insights blog for more insights on what this new law and related law changes associated with the GDPR will mean for marketers.