Since the old data protection safe harbour agreement between the US and EU was declared invalid in October 2015 there’s been much anticipation about if there was going to be upheaval to the data processing laws and pose greater restrictions on companies transferring data onto servers outside the EU jurisdiction.
Without any safe harbour agreement any company that stored individual’s data in the US would have segment its database and then re-patriate that data back to its country of origin and then delete any trace of it. This would have been a massive undertaken and hugely expensive for all concerned.
There has been a new draft agreement between the European Commission and the US. Announced on the 2nd February and still undergoing political ratification it imposes new tougher enforceable rules on companies handling European’s personal data. It included three key features:
- Strong Obligations for Companies’ Handling of EU Citizens’ Data
- Clear Safeguards and Transparency Obligations for U.S. Government Agency Access
- New Redress and Complaint Resolution Mechanisms for EU Citizens
Following the Snowdon episode, the US has had to provide written assurances that law enforcement and national security agencies are subject to clear limitations, safeguards and oversight mechanisms to prevent unauthorised access/use of personal data. There is also a clearly defined processes for EU citizens who consider that their data has been misused to seek redress without any charge and a new ombudsman will be created. Many still believe this isn’t enough.
As to getting the new safe harbour agreement in place, earlier in March the European Commission published a range of documents that underpin the Privacy Shield. Included in those papers was a draft ‘adequacy decision’ of the Commission which outlined its view that data transfers to the US made under the EU-US Privacy Shield will correspond to EU data protection law requirements. The privacy principles that businesses will have to comply with if they sign up to the Privacy Shield were also detailed in the documents published by the Commission.
A committee made of representatives from national data protection authorities based across the EU known as the Article 29 Working Party said it would “now assess these documents in order to give its opinion on the level of protection afforded by the EU-US Privacy Shield”.
We expect that opinion in mid-April.
Further reading:
http://www.itic.org/safeharbor
https://iapp.org/news/a/we-read-privacy-shield-so-you-dont-have-to/