After missing Sunday’s deadline, negotiators in the US and Europe have come to an agreement this week about how data can move across the Atlantic without infringing on European citizens privacy.
The new framework for transatlantic data flows, called the EU-US Privacy Shield, will “provide stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission,” according to a statement on Tuesday by the European Commission.
The EU-US Privacy Shield comes months after the European Court of Justice (ECJ) struck down Safe Harbor, putting an end to a 16-year-old system that allowed US and European companies to avoid cumbersome checks when transferring data across the Atlantic.
In an interview with the WHIR, David Snead, i2Coalition board chair and chair of the public policy group said that the Privacy Shield agreement is a “really good start” but that there are still more details that need to be ironed out.
“Information is starting to come out about what this agreement is going to look like but we don’t know exactly what’s in it yet,” he said. “It’s going to be important before we determine whether or not this is going to be doable or workable to see what’s in it.”
According to the European Commission, the new arrangement will include: strong obligations on companies handling Europeans’ personal data and robust enforcement, clear safeguards and transparency obligations on US government access, and effective protection of EU citizens’ rights with several redress possibilities.
Replacing Safe Harbor
Safe Harbor was enacted in 2000 in order to bridge the different approaches to privacy protection by the US and the European Union, creating a simplified way for organizations to comply with the European Commission’s Directive on Data Protection. Critics believed the framework was plagued by a lack of active enforcement by the US government and a lack of transparency of privacy policies of some participants. Snead said that while some of the concern around the way Safe Harbor was administered “is valid…some of it is speculation.”
One of the key misunderstandings that I hear is that [Safe Harbor] is required for US companies to receive data from Europe. That’s not accurate. It’s required for European companies to comply with EU laws when they send data to the US. – David Snead
“What happened was the European Court of Justice determined that the adequacy determination that had been given to Safe Harbor was not valid so it did not meet the standards necessary to ensure adequate protection of EU data, based on events that had occurred since Safe Harbor was enacted.”
“Those were revelations about US government surveillance practices; a change in the way data is shared. The case that was brought before the ECJ was based on Facebook. That’s what put this issue in the spotlight,” Snead said, in reference to the case brought forward by privacy activist Max Schrems against Facebook in Ireland. Schrems alleged that his privacy had been violated by the NSA’s mass surveillance programs. While Ireland’s data regulator rejected his case because it was bound by Safe Harbor, Schrems appealed this decision to the ECJ.
“Honestly, the US and EU had been negotiating a replacement for Safe Harbor for some time. My understanding was that prior to the ECJ decision the US and EU were very close to a replacement for it and the ECJ decision changed the way the Europeans needed to approach negotiations in order for it to be compliant.”
Safe Harbor was deemed invalid on Oct. 6, 2015.
Data Flow Interruptions Avoided
Much of the media coverage prior to the announcement of Privacy Shield focused on what would happen should an agreement between the EU and US negotiators not be made: essentially data could have been blocked from being transferred.
“It could have been the case, if the adequacy decision with Safe Harbor wasn’t available, European companies would not be meeting their legal obligations when they sent data to the US. There was a very real – and it was not overblown – potential that it would interrupt trans-Atlantic data,” Snead said.
“It’s really testament to the negotiators that they were able to do this and be thoughtful of the economic impact of cutting off data between the US and Europe.”
[Tweet The US is not the only country whose privacy practices don’t meet European standards]
Read more: Cross Border Data Flows, i2Coalition
While a lot of the focus has been on how Privacy Shield will impact large technology companies such as Google or Facebook, there could be real consequences to smaller technology service providers like web hosts or data companies who need to comply with global privacy laws.
“For a small to medium sized hosting company they need to ability to compete globally. So if you’re a company that’s based in Nebraska, you want the ability to have customers around the world,” Snead said. “The largest market for data services is going to be Europe so you want the ability to market in Europe and have your facilities be deemed compliant so when European companies use your facilities, they’re compliant with their own laws.”
“Small hosting companies don’t have the resources to build data centers around the world. For large hosting companies, or large data companies, could possibly address it by building data centers where they could conceivably segregate data, like building a data center in Europe.”
Not everyone is on optimistic about Privacy Shield. In an interview with ChannelWeb.co.uk, i2Coalition member Open-Xchange CEO Rafael Laguna said that he believes it is “highly unlikely that this shield will defend European privacy rights in any meaningful way…it is no relief to know that European complaints around the misuse of data will be referred to an ombudsman from the US State Department.”
Snead said there are still “a number of hurdles that need to be crossed before [Privacy Shield] gets implemented. The good thing is that data flows continue.”’
These hurdles include coming up with an adequacy decision, which could be adopted by the College of Commissioners after it obtains the advice of the Article 29 Working Party and consults with representatives from the Member states.
According to the European Commission, the US will also need to make “the necessary preparations” to put the new framework in place, including monitoring mechanisms and a new Ombudsman.