Privacy Shield, the self-certification programme that outlines data protection requirements for the transfer of personal information from the EU and Switzerland to the United States, isn't just a consideration for American companies. It should also be on the agendas of UK businesses as they conduct business with the US and as they consider the potential issues of leaving the EU.
Even if an organisation doesn't have any employees based in the US or isn't regularly transacting business with companies in the States, an awareness of the US/EU Privacy Shield programme is still a worthwhile endeavour for UK firms. As consumer expectations about data protection and privacy become increasingly strict, incorporating a formal framework such as Privacy Shield into normal business operations may provide customers with greater peace of mind around data privacy. This is especially true as Britain has triggered Article 50 of the Lisbon Treaty, beginning the formal process of leaving the EU within two years, which leaves the state of future UK/EU data exchanges in the balance.
In addition, with transatlantic partnerships on the rise and the prospect of expanding UK trade with non-EU countries—specifically the United States—not to mention a growing reliance on cloud services located nearly anywhere, more data hand-offs are likely to happen between companies in the UK and the US. Abiding by the requirements set out in the US Privacy Shield framework will help make those connections more efficient for global operations, while preserving data rights consistent with the stricter approaches in the EU.
Challenges within the privacy landscape
The global business environment is in a state of rapid and wide scale change. Implementation of the General Data Protection Regulation (GDPR) in 2018—along with Brexit and a two-year countdown to leave the EU—are creating challenges for companies trying to sort out what data protection requirements will look like going forward. Will data transfers between the EU and UK be allowed to continue under the GDPR, even after Brexit is complete? Might UK businesses see a change in how they share information with partners in the future? There is still too much uncertainty to do more than speculate, but these are questions that must be asked when considering a future in which a Privacy Shield framework may become highly relevant for UK entities with a presence in and who do business with the US and EU.
In a post-Brexit environment, it's likely that the UK will not be covered by the EU's GDPR and will themselves have to meet certain national levels of data protection that are still consistent with continental European perspectives. This means that the UK will have to be deemed “adequate” post Brexit to allow unfettered transfer of EU personal data to and from the UK, similar to the way the EU transfers data to Canada now, for instance.
However, if the UK fails to meet the EU's adequacy standards in its data protection regulations and environment, the transfer of EU personal data to the UK will run up against prohibitions. Data transfers may operate more like those to the US, deemed acceptable through other methods or a work around programme such as the US Privacy Shield programme. In this scenario, the Privacy Shield framework may serve as a good model for any new data protection agreements that are developed to facilitate information transfers between the UK and the EU post Article 50.
Privacy Shield's lessons as potential value for UK companies
Larger and proactive UK organisations can also look to the consumer-centric Privacy Shield framework to better understand what the EU will expect from non-EU organisations that handle EU citizen information. Regardless, UK companies that handle lots of different UK and EU citizen data need to prepare for a day — and it will come soon — when the unfettered access to and transfer of information to the EU slows down or even stops.
Why does this scenario seem likely? To put it simply, as Americans have learned the hard way over the past 20 years, Europe can and will use data protection and privacy differences as a point of leverage with non-EU trading partners. As outsiders to the EU club, Americans have always faced business choices ranging from dramatically limiting data transfers and thus avoiding conflicts with EU requirements, to simply refusing business opportunities that cross into the EU's boundaries.
Following Brexit, the UK and its business community need to understand that they, too, are suddenly on the outside looking in. Whether the outsider status looks like a close outsider such as Switzerland or Denmark or a distant outsider such as the US remains to be seen. Either way, in a post Brexit Europe, UK entities need to prepare for a different view on data transfers that may shape up to resemble the US's work-around with the EU.
Treating Privacy Shield as a useful model in an uncertain world is certainly a good start.
Contributed by Eduard Goodman, global privacy officer, CyberScout
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.