European Commission announces Safe Harbor replacement: the EU-US Privacy Shield
Neil Ford 3rd February 2016
The European Union and the United States have reached a last-minute agreement on international data transfers following last October’s ruling by the European Court of Justice that Safe Harbor, the 15-year-old pact between the EU and the US, was invalid.
The Safe Harbor agreement allowed the personal information of EU citizens to be transferred to the US without abiding by the strictures of European data protection legislation, but a legal challenge brought against Facebook by Max Schrems, an Austrian privacy campaigner who was concerned about the social network’s potential sharing of Europeans’ personal data with the NSA, resulted in Safe Harbor being declared invalid.
Under the EU Data Protection Directive (95/46/EC), EU Member States may only transfer personal data to a third country for processing if that country “ensures an adequate level of protection”. The European Court of Justice found that Safe Harbor did not ensure such a level of protection.
The last few months have been confusing for data controllers and processors. Now, however, shortly after the expiration of the 31 January deadline set by the Article 29 Working Party – the body responsible for data protection in the EU – the European Commission has announced that the EU-US Safe Harbor agreement will be superseded by something called the ‘EU-US Privacy Shield’
EU-US Privacy Shield
Details are vague so far, but the new agreement will include:
Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
It’s also not yet known when the new framework will be put in place. (Knowing EU bureaucracy, it’ll be a while yet.) Again, from the press release:
The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.
Schrems commented: “Judging from the mere ‘headlines’ we know so far, I am however not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this – depending on the final text I may well be one of them.”
EU General Data Protection Regulation
The EU Data Protection Directive – which informed the Safe Harbor agreement – is soon to be superseded by the EU General Data Protection Regulation, a pan-European law that will harmonise data protection across EU member states.
All organisations that collect, process or store information will have to meet the GDPR’s requirements, or face penalties of up to €20 million – or 4% of turnover, which in the case of global Internet companies could be billions.
Implementing an information security management system (ISMS), as described in the international best-practice standard ISO 27001, is the sensible route to compliance.
Information security best practice
An ISO 27001-compliant ISMS provides a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been certified to the Standard you can insist that third-party contractors and suppliers also achieve certification. In addition to this, the external validation offered by ISO 27001 certification is likely to improve your organisation’s cyber security posture and business efficiency while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts – as well as allowing you to meet your legal and regulatory obligations.
Achieving certification to the Standard can be a complicated and time-consuming business, though. Organisations must provide documented evidence of their compliance with ISO 27001, which in the case of larger or more complex organisations can require the creation of thousands of pages of documents. If you find yourself in this position, don’t worry: expert help is at hand.