1 Aug 2016
Privacy Shield: A New Episode In The “Email Marketing & EU Data Protection” Series
1 Aug 2016
Safe Harbour and its new version Privacy Shield are again making the headlines. We know, your very favoruite topic. Should you binge-watch Game of Thrones or learn about Privacy Shield? Duh. Privacy Shield, of course. Is there really any better bedtime reading?
Well, not really. If you’re doing email marketing in Europe, it concerns you directly because we are talking about EU data protection here. Do regulatory news give you a headache? Don’t panic. At Mailjet, we’ve been monitoring the issue to keep you informed. Sit down and catch up on the whole story, in a nutshell.
Previously, on Safe Harbour…
You may remember that last fall, the EU Court of Justice struck down Safe Harbour, a self-certification agreement that was used to regulate data transfers between the US and the EU.
There have been several developments since then: a new text was created in extremis in February 2016. It was called Privacy Shield. The text was then studied by the Article 29 Working Party (also referred to as WP29, a group of the 29 national authorities for data in the EU).
Last April, after two months of examining the text in depth, the WP29 has released a public statement about it. They basically acknowledged the improvements that Privacy Shield brings to the table, but highlighted several remaining issues. Some of these issues were the complexity of the agreement, the lack of safeguards against bulk data collection from US surveillance programs and the difficulty for EU citizens to appeal for the misuse of their private data.
On this week’s episode of Privacy Shield…
On the 8th of July, the EU officially validated Privacy Shield. It therefore officially replaces Safe Harbour, by
providing a new method for US companies to transfer EU citizens’ personal data to the US. Wait, does it mean everything is back to normal, data transfers re safe again between the EU and the US and we can live happily ever after with our American providers? Is this really the end of the show?
Well, not exactly – you know there’s always a but.
Currently, any US company that receives personal data from the EU must adopt one of the approved methods for cross-border transfers:
(2) Binding Corporate Rules (for intercompany/affiliate transfers);
(3) Privacy Shield.
How can I ensure I’m following the EU data protection rules?
OK, so we said there are three options.
Non-EU companies can use the standard data protection clauses in Options (1) and (2) in their contracts.
Essentially, this covers any transatlantic data transfer carried out by a US company. For these options to be valid, a US company must opt for the same data privacy standards as companies within the EU have to provide. They must also clearly state it in their contracts (both internal contracts between companies and external ones with their customers). However, these options are not always used in the same way, and customers will need to check the companies’ data agreements to determine their level of security. Thus, customers might not always have the same level of security when dealing with non-EU companies.
So, does that mean that it’s up to the companies to decide how to protect personal data? Not necessarily. Once it comes into effect, option (3), Privacy Shield, should be the prevailing law to regulate data transfers. However, there’s still skepticism regarding the protection it provides, compared to that provided by EU laws.
US companies have just recently been able to use Privacy Shield as a way to accredit their data protection standards. They can self-certify that they comply with the new regulation ; in fact, the law is already applicable to many US businesses (including Facebook, Google, Microsoft…).
For EU companies, this is a little bit different. In these countries, Privacy Shield now has to be transposed into the EU member states’ own legislations. The deadline for this process is the 6th of May, 2018 – although it wouldn’t be a surprise if this was to eventually take longer. In the meantime, people can only rely on options (1) and (2), as described above, whenever they need to make sure that their transatlantic data transfers are safe.
If you are using Mailjet as your email marketing provider, you’ve got nothing to worry about. Not only do we fall under the Data Protection Directive 95/46/CE, but all of our servers are located in Europe. We also strive to keep our data protection standards high. See, no headache at all.
Time to go and binge-watch Game of Thrones now.
If you have questions around Privacy Shield and how it could impact your sending policy and the protection of your data, feel free to contact us or share your thoughts on Twitter with the #MailjetMarketing.