Maybe your organization doesn't consider itself a multinational now, but changes to European privacy and security law may cause you to adjust your definition. So, if you've been ignoring the news about EU-US Privacy Shield, the trans-Atlantic data transfer agreement that might replace Safe Harbor, now's the time to start paying attention.
Here's what you need to know.
1. What was 'Safe Harbor' and why did it need replacing?
"Safe Harbor" was the agreement that had, for the past 15 years, allowed multinational organizations to store European citizens’ personal data in the US if the companies agree to comply with the EU's data privacy laws. However, in October, the European Court of Justice (ECJ) struck down Safe Harbor.
The ECJ's ruling, in a nutshell, was that American companies were incapable of complying with European laws, simply because they were American. The US government's own invasive surveillance practices and the lack of sufficient American laws protecting privacy put the personal data of all citizens (American and European alike) perpetually at risk.
Therefore, data protection authorities hammered out a new proposed data transfer agreement that would address all the ECJ's concerns. This new agreement is EU-US Privacy Shield -- the announcement was made in early February and the European Commission released complete details Feb. 29.
2. My organization didn't use Safe Harbor. Why should I care about EU-US Privacy Shield?
Maybe you haven't been worried about EU privacy law before, because your business doesn't handle European citizens' personal data...but the definition of "personal data" is about to change.
The EU General Data Protection Regulation (GDPR), a replacement for the EU Data Protection Directive, is expected to be ratified by European Parliament this spring session, and go into effect by 2018. The GDPR will expand the definition of "personal data" to "encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity," according to IT Governance.
A variety of data types, from shoe size to religion to demographic information commonly collected by businesses for targeted marketing purposes might fall under this new definition. Therefore, while only about 4,500 organizations certified for Safe Harbor, many more organizations may need to worry about Privacy Shield when GDPR goes into effect.
3. Speaking of GDPR, what else does that have in store for me?
Violations of GDPR have proposed fines of up to 4% of annual global revenue. Many breaches of personal data must be reported within 72 hours of discovery. The law also establishes many rules about providing citizens with the "right to be forgotten" and many organizations will be mandated to appoint data protection officers. The GDPR has restrictions not only on data owners but processors as well.
On top of the GDPR, the EU rolled out a new Network and Information Security Directive with a variety of new cybersecurity regulations for European critical infrastructure and "digital service providers," which may include entities both inside and outside of the EU.
4. How is Privacy Shield different than Safe Harbor?
Privacy Shield, along with the recently ratified U.S. Judicial Redress Act, gives Europeans accessible and affordable mechanisms to issue complaints about how their private data are used in the US. American organizations will have to respond to complaints from EU citizens about their handling of data within 45 days.
Privacy Shield puts in place more oversight for data protection. The US Department of Commerce and the Federal Trade Commission will be given more responsibility to enforce European data protection requrirements, and the Privacy Shield agreement itself will be a "living mechanism" that will undergo annual reviews.
Privacy Shield also hardens rules as it relates to "onward transfer" of data to third-party data processors. An organization can only share the EU subjects' data with third parties if the third party also certifies by Privacy Shield and signs a contract with the data owner guaranteeing that fact. Nevertheless, the data owner will remain primarily liable for any violations committed by the third party, unless they can prove they were not responsible. This rule does not only pertain to American companies, but also to European companies that transfer data to US-based processors.
The US Director of National Intelligence will also provide written assurance that there will be limitations on the collection of Europeans' data, and there will be no mass surveillance. An ombudsman independent of the intelligence community will be appointed to address complaints; this ombudsman will reside within the US Department of State.
5. What happens next?
The next significant action will take place April 12-13, when the Article 29 Working Party, a committee made of representatives from national data protection authorities based across the EU, says it plans to adopt an opinion on Privacy Shield.
After that, the Article 31 Committee will provide an opinion, and then the EU College of Commissioners must formally adopt Privacy Shield. The European Commission hopes all this will happen smoothly and that Privacy Shield will be in effect by June.
Even if all that goes to plan, the European Court of Justice could still reject the agreement on the same basis it scrapped Safe Harbor -- if they believe that the changes do not effectively address those problems.
6. Would the European Court of Justice strike Privacy Shield down too?
That depends on who you ask.
The Electronic Frontier Foundation's stance is that Privacy Shield is still full of surveillance loopholes, and that, being that the American government's surveillance laws have not changed in any other regards, the new data transfer agreement is unlikely to withstand the scrutiny of the ECJ if it makes it that far. March 3 EFF international director Danny O'Brien and activism director Rainey Raitman wrote:
The court decision and subsequent negotiation could have been a powerful motivator for the U.S. to clean up its surveillance policies. Instead, the patchwork of concessions in the Privacy Shield leaves the door open for the digital surveillance of hundreds of millions of Europeans.
Others give the agreement more credit. From DataGuidance:
"One of the criticisms of the Privacy Shield has been that it is essentially Safe Harbor repackaged, but I think a look at the scope and content of the documents show it is very different," Cameron Kerry, Senior Counsel at Sidley Austin LLP, said. ... "Certainly the inclusion of public authorities, of US Intelligence Agencies as well as law enforcement is something entirely new in response to the [ECJ's decision to strike down Safe Harbor]. The very detailed and prescriptive requirements added go well beyond Safe Harbor."
"The Privacy Shield is an impressive array of findings, commitments and obligations. It should go a long way towards ameliorating the transatlantic digital tension," Alan Charles Raul, Partner at Sidley Austin LLP, noted. "The ability of the US to adopt in Congress the Judicial Redress Act shows the importance to the US of respecting EU privacy interests."
The EFF, however, points out that US intelligence agencies' assurances not to collect too much data on Europeans are peppered with language that give them loopholes. The Identity Project similarly calls the Judicial Redress Act "so limited and riddled with exceptions that it is almost worthless." And the head European Ombudsman, Emily O'Reilly, objected to the fact that the independent Privacy Shield Ombudsman would be embedded in the US State Department, when the State Department directly benefits from the activities of intelligence agencies and an ombudsman, by definition, must be independent.
This could be even more troublesome if the State Department receives more data intercepted by the NSA, as the White House has recently discussed.
7. What are organizations doing to transfer trans-Atlantic data while they're waiting for EU-US Privacy Shield to (maybe) go into effect?
Safe Harbor was never the only way to transfer data; it was just the best way, particularly for companies that transfer Europeans' data across the Atlantic between mnany different companies. In the absence of such an agreement between nations, organizations can use "standard contractual clauses" (SCCs, a.k.a "model clauses") or "binding corporate rules" (BCRs).
SCCs can be used by an individual organization for transfers across departments in different countries, or between an individual company and a vendor. BCRs on the other hand, will give an organization broader freedom, but typically take months to implement, because they have to be approved by data protection authorities in each EU jurisdiction in which they operate.
For now, both of these options are available, because the ECJ's ruling only pertained to Safe Harbor, not all data transfer. However, Isabelle Falque-Pierrotin, chair of the Article 29 Working Party said in February that when the party meets next month to discuss Privacy Shield it will also "be in a position to offer a clearer view on the legitimacy of businesses' continued use of alternative mechanisms for data transfers, such as model clauses and BCRs."
Data Privacy Monitor provides more answers here.
8. What should I do?
Up your data classification game. Current technology makes basic searches for some PII and PHI data relatively easy to discover, yet already may organizations are behind the curve. The GDPR's expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.
Keeping better track now of what data you have and where you have it -- and urging business leaders to make better decisions about whether or not you need that data to begin with -- will make it much easier later when you need to "forget" certain users or add security measures to certain data types.
Avoiding data transfer whenever possible -- by storing EU citizens' data in the EU only -- is a safer practice if it's feasible. However, that might not be a permanent solution, particularly if the US Department of Justice ultimately wins its long-running case against Microsoft. DOJ has been trying to press Microsoft into turning over data residing on a server located in Ireland, but the company has refused. The case has been in appeals for years, and DOJ did not get much support last month during a House Judiciary Committee hearing when lawmakers accused the Justice Department of trying to circumvent international treaties.
Talk to leaders throughout your security, compliance, privacy, legal, marketing, HR, and IT departments. Complying with new regulations will affect all of you.
- EU-US Privacy Shield: What Now, What Next?
- No Safe Harbor is Coming -- CISA Made Sure Of It
- EU, US Agree On New Data Transfer Pact, But Will It Hold
- Congress Passes Judicial Redress Act, UK Snoopers' Charter Gets Closer Look