Updated: EU Privacy Shield soon to be finalised

Privacy Shield's long awaited final draft will be done by the end of this month. SC talked to some of those in the industry who will fall under its dominion

Europe soon to get its own 'privacy shield'
Europe soon to get its own 'privacy shield'

The new data agreement between the EU and the US, known as Privacy Shield, is set to be finalised by the end of month, according to an EU commissioner. 

Věra Jourová, a commissioner for the Justice Directorate General at the European Commission tweeted on 8 February that the final version of Privacy Shield is coming soon.

Safe Harbour was reborn last week as Privacy Shield, a new set of EU-mandated regulations to mediate the transfer of private data between organisations in the United States and in the EU. 

The Safe Harbour agreement allowed European organisations to transfer data to organisations in the US, where data protection legislation varies from state to state and is often not compatible with EU law, provided the US organisation pledged to apply EU standards to the handling of data. 

The Safe Harbour agreement, which had stood since 2000, began to crumble when Edward Snowden revealed that US intelligence agencies were scanning data on the servers of big social media companies such as Google and Facebook. This prompted Max Schrems, an Austrian law student, to lodge a complaint with the Irish Data Protection Commissioner that his data was being unlawfully processed by Facebook which ultimately led to the Irish courts referring the case to the European Court of Justice.   

After being struck down by a European court late last year, there has been no agreement governing the transfer of private data in Europe.

Privacy Shield aims to patch the gap and make sure there are clear guidelines and procedures for how data is transferred and how organisations on one side of the Atlantic handle data of the citizens on the other side.

The agreement not only refreshes, but builds on the provisions of Safe Harbour, leaving companies in a new situation regarding data handling.

First, though, they have to be told that Privacy Shield exists, according to Teresa Schoch, associate director  at the Berkeley Research Group who told SCMagazineUK.com: “Surveys have shown that half of the companies certified under Safe Harbor were unaware of its invalidation in October of last year. The same companies are likely to be unaware of the Privacy Shield as well.”

If they don't, they'll know soon enough. While Safe Harbour had few teeth regarding compliance, Privacy Shield will not be so gentle to those who break its provisions. Where data is concerned many US companies keep all the data they collect, said Schoch, something which Privacy Shield will not stand for seeing as it puts very fine points on what data companies are allowed to collect and keep as well as how long they keep it.

Schoch said, “Companies that are attempting to be in full compliance once the new EU regulation is in effect to avoid unprecedented fines, are speeding up efforts to meet both the spirit and the letter of EU privacy law. Privacy Shield means that they could be audited and fined as soon as the US is able to put together a framework to target offenders.”

Meanwhile, “Other companies remain oblivious to the impact of this move and will find themselves scrambling to address audits or EU citizen complaints. The industry most concerned is the insurance industry that currently finds it difficult to assess risk and potential liability in this new landscape.”

Without the full paper for Privacy Shield being released, let alone the proposals being passed through European courts, it's hard to fully expect what Privacy Shield might bring but Brian Chappell, director of technical services EMEAI and APAC at BeyondTrust, has some guesses. 

He told SC, “As it stands now, the new privacy pact has yet to withstand the scrutiny of the various privacy groups out there so it's possibly a little early to start preparing for it. That said, the basic premise seems to rely on companies taking appropriate action to protect data (as Safe Harbour did); however they are now subject to review, and failure potentially has greater ramifications.”

Still, these are things that companies should already be doing, said Chappell: “The underlying technical requirements should already be in place, if you've not got your data secured then you need to be following best practice ASAP, regardless of the April deadline for this pact.”

Ian Wood, senior director of global solutions at Veritas, told SC, “Businesses will need to be much more involved with where their information exists and how it is stored. As a result, enterprise businesses will need to welcome a new age of information transparency to protect their customers' and employees' personal information by gaining visibility, taking action and assuming control of their data.”

Jason Andrew, GM & VP of EMEA at BMC software, said that BMC has been working towards becoming the first enterprise IT management company to receive approval for Binding Corporate Rules (BCRs) as both a data controller and data processor, meaning the company can transfer personal data outside the EU safely.

Andrew told SC: “BCRs can help to drive up levels of confidence and compliance and can fundamentally help US businesses navigate their way through the 'patchwork' of differing data privacy laws in countries throughout Europe. With BCRs in place, BMC is in a position where our business will not be disrupted because we are striving to set up the highest level of protection across our organisation.”