The EU-US Privacy Shield: What happens next?
Yesterday the European Commission formally approved the EU-US Privacy Shield, making transfers of personal data to the US legal under European law for companies that have certified to the framework.
So, what have businesses been doing to date? Businesses have been switching – or are switching – to other legal solutions so they are able to transfer personal data to the US in a bid to avoid any issues with the decision invalidating Safe Harbour by the Court of Justice of the European Union (CJEU). Those legal solutions include EU-prescribed Model Clauses. Now, if organisations choose to stay on these model clauses, nothing will change, and they can still use them to support data transfers globally.
Model clauses work for all data transfers – not exclusively for transfer of personal data to the U.S. – but they are admin-heavy. Alternatively, they can certify to the EU-US Privacy Shield as a means of transferring personal data from the European Economic Area (EEA) to the U.S.. Model clauses will still be needed for any other data transfers outside of the EEA, however.
Having said all of this, it looks like the EU Model Clauses will get their day in court as the Irish data privacy regulators have recently asked the Irish courts to refer the validity of EU Model Clauses to the CJEU. So, things are changing very quickly which can often cause confusion. It’s important businesses keep in touch with their cloud providers and legal counsel to ensure they stay on top of potential changes in the future.
Companies wishing to self-certify to the EU-US Privacy Shield will need to start putting the pieces in place to comply with the Privacy Principles (updating their Privacy Policy, updating contracts with third-parties to ensure they comply with the Principles, designating an independent dispute body, etc.).
While Privacy Shield not only imposes stricter compliance requirements and enforcement than the original Safe Harbour agreement, it also means that complaints and investigations will probably become much more common — part of the fabric of doing business in Europe. Since it’s now much easier for EU citizens to file a complaint when they suspect potential abuse, companies will have to be prepared to defend themselves by demonstrating that they’re in compliance.
Data sharing cannot be taken for granted anymore. Companies and their cloud providers are more responsible than ever for data privacy, and this responsibility is only going to increase when the GDPR comes into full effect in May 2018. The penalties for wrongdoing could be very severe so planning is critical. The next few years will be a huge test for organisations across the world as they begin to realise that data sharing practices will continue to fall under close scrutiny as the concept of data privacy evolves further.