Earlier today The European Commission officially adopted the EU-US Privacy Shield, providing a legal framework under which transfers of personal data can be made from EU countries to the US, an issue that had been unresolved following the Max Schrems case in which the privacy advocate had the earlier arrangement, Safe Harbour, declared invalid. The new agreement was approved last week.
Phil Lee, partner in the Privacy, Security and Information team at Fieldfisher commented in an email to SCMagazineUK.com, "Following Safe Harbour's invalidity last year, many businesses went through lengthy and expensive programmes to re-engineer their data export strategies – switching over from Safe Harbour to Model Clauses, and requiring their supply chain to do the same. Having expended all this time, effort and money, the big question now is whether they (and their Boards) are now prepared to repeat the process and switch again to Privacy Shield, keeping in mind the prospect that it will almost certainly be challenged by civil liberties groups and possibly some DPAs."
Deema Freij, global privacy officer, Intralinks emailed SCmagazineUK.com adds, “Businesses have been switching - or are switching - to other legal solutions so they are able to transfer personal data to the US in a bid to avoid any issues with the decision invalidating Safe Harbour by the Court of Justice of the European Union (CJEU). Those legal solutions include EU-prescribed Model Clauses. Now, if organisations choose to stay on these model clauses, nothing will change, and they can still use them to support data transfers globally. Model clauses work for all data transfers – not exclusively for transfer of personal data to the US – but they are admin-heavy. Alternatively, they can certify to the EU-US Privacy Shield as a means of transferring personal data from the European Economic Area (EEA) to the US. Model clauses will still be needed for any other data transfers outside of the EEA, however.”
Nonetheless, Freij suggests that EU Model Clauses will also get their day in court as the Irish data privacy regulators have asked the Irish courts to refer the validity of EU Model Clauses to the CJEU. The advice to businesses is to keep in touch with their cloud providers and legal counsel to ensure they stay on top of potential changes in the future.
Freij concludes, “Data sharing cannot be taken for granted anymore. Companies and their cloud providers are more responsible than ever for data privacy, and this responsibility is only going to increase when the GDPR is adopted: right now global organisations have a two-year deadline to comply. The penalties for wrongdoing could be very severe so planning is critical.”
Elodie Dowling, VP, EMEA general counsel at BMC Software, in an email to SC, was more sceptical, saying. "... with the ongoing discussions generated throughout the negotiation period, it's unlikely that the official adoption of the Privacy Shield closes the loophole completely. For example, it remains unclear the type of ‘assurances' the US has provided to the EU to ensure mass surveillance does not apply or, if it does, that it happens in a transparent and framed manner for EU citizens. Surely this particular item is going to be carefully considered by data privacy activists.
In addition, Dowling notes that the Article 29 Working Party (WP29) is to meet on July 25 and render its opinion on the adequacy of the Privacy Shield.
Lee sums up: "It seems we're entering a world where no one data export model is good enough: Privacy Shield has an uncertain future, Model Clauses are being referred to the CJEU for review, and BCRs take too long for all but the most compliance-minded businesses. Because of this, what we're seeing instead is businesses looking towards a layering of these solutions, rather than betting the ranch on any one solution alone."
A different perspective is provided by Richard Stiennon, chief strategy officer for Blancco Technology Group and former Gartner VP of Research:
“An agreement on the EU-US Privacy Shield has been reached after the US DNI took the unprecedented step of providing written assurance that mass surveillance of EU citizens will not take place. This immediately begs the question – would the US – and the UK government for that matter – be prepared to make those very same assurances to their own citizens?
I find it disconcerting that the EU, by and large, is more concerned with privacy than both the US and the UK and what this might mean for the global marketplace if we continue to allow different attitudes to translate into wildly different data privacy legislation across distinct geographies. If we continue along the path we are treading, then global organisations will continue to be subjected to the expense of tracking and complying with multiple sets of data security and privacy rules or we will experience a ‘race to the bottom' that puts all of our personal data at risk.
After years of working to get the EU GDPR defined, we're finally ready to see it implemented. It is all well and good devoting time and resource to creating data sharing protocols such as the EU-US Privacy shield. However, wouldn't it be better to make US and UK data protection laws meet the same standards so that we could all trade on a level playing field?”