On February 2nd, the European Commission and the United States agreed on the new framework for transatlantic data flows the EU-U.S. Privacy Shield. This framework, which provides a set of robust and enforceable protections for the personal data of EU individuals, will have a major impact on how U.S. companies collect, manage, and use digital data transferred from Europe to the United States. This new pact aims to ensure Europeans have adequate data protection rights when U.S. companies import their personal data
Replacing the previous EU-US data transfer pact known as Safe Harbor, the Privacy Shield is still being finalized. And while the final specifications have not been approved yet, changes are coming, and it’s worth preparing your company for them. A major new part of this agreement is that U.S. intelligence services will have to adhere to new limits and oversight mechanisms when using Europeans’ data. The lack of these safeguards is what sunk the Safe Harbor agreement, the predecessor to Privacy Shield.
Here are five things all U.S. companies should know about the Privacy Shield framework.
1. You don’t have to sign up—but you should.
Signing up to the Privacy Shield is technically voluntary. But if you don’t sign up, you will not be authorized to process any data from the EU in the U.S without permission from an end user or by using model clauses or binding corporate rules. These options cost more time and more money. The businesses that do sign up will have to comply with the principles outlined in the final agreement, including publishing your privacy policy.
Even if your company didn’t worry about Safe Harbor before, you should pay attention to the Privacy Shield. The definition of “personal data” is about the change.
2. The EU is expanding its definition of “personal data.”
Along with Privacy Shield, in January of this year, the European Commission revealed a draft of its European Data Protection Regulation to replace the previous Data Protection Directive. The Data Protection Directive is a European Union Directive, which was created to regulate the progression of personal data within the European Union. Officially known as the Directive 95/46/EC, the legislation is part of the EU privacy and human rights law.
The aim of the new European Data Protection Regulation is to harmonize the current data protection laws in place across the EU member states. The fact that it is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation.
The EU General Data Protection Regulation (GDPR) is also expected to expand the definition of “personal data” to encompass a broader range of factors that could be used to identify an individual, such as their genetic, mental, economic, cultural, or social identity.
That means a variety of data points commonly collected by businesses today for targeted marketing purposes might have to rethink their strategy.
3. New rules and new fines.
There are several new features and requirements that businesses will have to adapt to once the Privacy Shield goes into effect, including:
- Companies will be mandated to appoint data protection officers who will provide citizens with the “right to be forgotten.”
- New restrictions for data owners and data processors will be enforced.
- Breaches of personal data must be reported within 72 hours of discovery.
- The GDPR will fine violating companies as much as 20 million Euro or Up to 4% the total annual worldwide gross revenue, whichever is higher
4. When the Privacy Shield takes effect.
The Privacy Shield must still be analyzed and adopted by the Article 29 Working Party, the Article 31 Committee, and the EU college of Commissioners. In essence, the Working Party will consider if personal data can be safely transferred to the US under any transfer mechanism, be it the Privacy Shield, Model Contracts or binding corporate rules. Their opinion is expected in June 2016 and could have significant implications for transfers of personal data to the US and elsewhere.
5. What to do in the meantime.
The best thing to do is improve your data classification. Keeping better track of what personally identifiable information (PII) you have, where you store it, and for how long will give you a leg up ensuring you have given notice and obtained permission from end users to process and store their PII in the United States.
For many organizations that have been using the Safe Harbor Framework to transfer personal data from the EU to the U.S., Standard Contractual Clauses (SCCs—also referred to as “Model Clauses” or “Model Contracts”) may also provide a relatively straightforward and cost-effective alternative.
SCCs are sets of contract clauses that were issued by the European Commission for purposes of establishing safeguards to allow for the transfer of personal data from the EU to countries (such as the U.S.) that are not otherwise deemed to provide “adequate” protection for the data.
Make sure the attorneys and security experts at your company have briefed teams across the organization on security, compliance, privacy, and legal concerns—the Privacy Shield will affect all of your departments, not just IT and Security.
Data privacy is a core priority here at Return Path and as Chief Privacy Officer, I can assure you that we’ll be watching the Privacy Shield news closely as it unfolds. Subscribe to our blog to stay up to date on key updates and suggested actions.