It’s been a couple of months since the EU and U.S. clinched a new deal on a new data transfer framework. The framework will govern how Europe’s data moves to the U.S. The previous structure, Safe Harbor, was squashed by a strict EU court after revelations of how U.S. government surveillance caused a political backlash in Europe. Under the new agreement the EU-US Privacy Shield, there will be an annual review to ensure that the new system is working properly. And the U.S. will appoint an ombudsman to handle complaints from EU citizens about Americans spying on their data. European data privacy watchdogs will also work with their US counterparts, the Federal Trade Commission, to address any flagged problems.
What This Means In Practice
This new agreement requires that Americans do an annual self-certification to meet the requirements. Not only must they abide by strict guidelines, but they must also display their privacy policies on their websites. They must respond to all and any complaints promptly. When handling data that involves human resources data, they must be prepared to cooperate and comply with the European Data Protection Authorities.
The new agreement also means changes on the part of European individuals. They must be willing to be as transparent as possible about the transfer of their personal data to the U.S. The agreement also ensures that in the case of complaints, the redress will be less costly and easier with the help of local Data protection authorities.
The Challenges Ahead
Multinational businesses welcomed the announcement of the pact. Technology companies like Google and Facebook mainly rely on data transfer to conduct routine business activities. However, after Snowden’s leak, public concerns about data privacy have been raised. Will it protect users’ data privacy in exchanges between the two regions? Or is this new agreement nothing more than a mere “cosmetic,” change?
Well, privacy advocates are watching and waiting. Europe’s The Article 29 Working Party is willing to give Privacy Shield one year before it decides to take action. What’s more, the General Data Protection Regulation (GDPR), Europe’s new data privacy law, goes into effect in May of 2018 which raises the stakes even further.
At this point, the challenge lies within the realm of education and training that companies are willing to invest. All employees must understand both the guidelines and the stakes that are involved. There must be a thorough re-examination of all current practices related to data management and a retooling of these particular practices with an intense look ahead to GDPR. And perhaps the biggest challenge is that associated with technical underpinning; companies must be able to ensure proper governance as well as documentation. Should there be accusations of wrongdoing or related questions, these companies must be able to prove their innocence.
Though this new agreement may be a step in the right direction, there is still much to be accomplished. Not only does there need to be compliance, but good faith must also come into play.
By: Suzette Corley, Global Privacy Paralegal
Article keywords: Privacy Shield, Data Privacy, GDRP
Disclaimer: This article provides general information and materials related to contract management. This article does not provide legal advice. Agile Contract Management is not a law firm nor does it provide legal advice. You should contact an attorney to obtain advice with respect to any particular legal issues or questions.