Since the European Court of Justice decided in October 2015 to rule out Safe Harbor, the EU and the US have been negotiating a new data-transfer agreement.
This past February they introduced Privacy Shield, the new legal framework that will allow US companies to import and store personal information from European citizens without compromising on data-protection. However, this new agreement comes with lots of uncertainty and controversy. Let’s take a look at why!
Whatever happened to Safe Harbor?
On the 6th October 2015, the European Court of Justice struck down Safe Harbor after Edward Snowden shed light over the use of personal data, revealing the mass surveillance operations carried out by the US’ National Security Agency and the lack of safeguards to guarantee data protection for EU citizens.
In the EU, international data-transfer is only authorised provided the destination country’s data protection law matches the European one. In the year 2000, Safe Harbor came as a legal framework to ease this data-transfer between members of the EU and the United States.
After Snowden’s revelations, Austrian privacy campaigner Max Schrem filed a lawsuit against Facebook regarding its use of personal data. However, the Irish Data Protection Commissioner found Facebook was protected by Safe Harbor.
The case was then taken to the European Court of Justice, which eventually ruled that the Safe Harbor agreement was invalid, as the court considered that, in the wake of Edward Snowden’s leak, the security of personal data in the Internet could not be guaranteed under the terms of the European data protection law.
No Man’s Land
The United States and the European Union set the 31st January as the deadline to find an alternative and renegotiate a new deal that would guarantee the safety of personal information on the Internet.
During this time, data sharing between European countries and the US was no longer protected by Safe Harbor and it was up to each national data protection authority to decide how to act in this matter.
In the UK, deputy information commissioner David Smith encouraged companies to “take stock” and review the protection measures in place to guarantee the safe data-transfers. However, he said he appreciated that this could take time and advised business against rushing into “other transfer mechanism that may turn out to be less than ideal”, especially with the possibility that a new agreement would emerge.
The ICO’s decision to be flexible and wait for a new deal came as a contrast to countries like Spain and Germany, where the data protection authorities urged companies to adhere to the European data-protection law and use European servers, and threatened to investigate the legality of their data sharing.
Although the 31st January came and left without the parties reaching an agreement, on the 2nd February, the European Commission announced Privacy Shield, a new deal that would plug the gap and set the new legal framework for internationally data-transfers. However, due to the limited and ambiguous information provided by the EU and the US, the long-awaited announcement was received with uncertainty and speculation.
The main details surrounding the agreement weren’t released until the 29th February and must now be validated by the member states and the data protection watchdogs in the EU. Provided the companies adapt their policies to comply with Privacy Shield, this new agreement should bring some peace of mind to business sharing personal data internationally.
Yet, Max Schrems and other privacy advocates are questioning the new agreement, which will still allow the US to carry out bulk surveillance in a series of cases, something, they claim, that goes against the European law.
What’s going to happen now?
It’s hard to tell, but a number of experts have already warned that Privacy Shield would not pass muster with the European Court of Justice if taken to court.
In the UK, the matter is even more complicated, as we face the upcoming European referendum, dubbed as Brexit. Brexit means choosing between staying in the EU and complying with its General Data Protection Regulation (GDPR) (still in the UK’s to-do list) or leaving and finding and alternative. Either way, the UK will have to decide how to ensure it remains a safe place to store personal information from European citizens.
If UK decides to stay in the EU, they will have to ensure their service providers abide by the Privacy Shield’s new data-protection standards or choose to migrate their personal data to a service provider with European servers. If under Brexit UK decides to leave, new agreements will need to be found to allow data transfers with the US and the EU.
As small to medium and even larger enterprises, this means more months of uncertainty, in which we should keep our eyes wide open and be on the lookout for any news regarding the new agreement, to ensure our marketing activity complies with the European law. We’ve already started to see some companies descend into chaos due to this ambiguity in Spain. All we can do now is stay vigilant, sit and wait.