Many U.S. companies that have relied on the exchange of data with European Union counterparts have been in a legal...
no man's land since October 2015, when the Safe Harbor data transfer agreement was dissolved by the European Court of Justice, the EU's highest court, citing concerns over U.S. government surveillance.
That's changing with the enactment earlier this month of the EU-U.S. Privacy Shield data transfer agreement, which U.S. businesses can start signing up for -- and promise to uphold its data privacy principles -- Aug. 1.
But is the new "robust framework," as the European Commission's Andrus Ansip has called Privacy Shield, a good one? Will it better protect the privacy of European consumers against prying American eyes? If its mechanisms are found lacking, European officials could invalidate this one, too, and go back to the drawing board. And for CIOs now working to align their data protection and compliance programs with the current laws, another framework could mean yet more work and effort.
Dissent from Europe
On paper, the EU-U.S. Privacy Shield's protections are stronger than Safe Harbor's. There are clear safeguards on how U.S. government and law enforcement agencies can access European consumers' personal information, and it will also be easier and cheaper for people to file complaints against companies for perceived privacy violations. Also, under the "onward-transfer" provision, third-party contractors such as email-list processors that may handle customer data must also adhere to the framework's principles.
But not everyone is happy, with civil liberties groups criticizing the set of laws. Human rights watchdog organization Privacy International has called the document "opaque" and said that there are "no meaningful protections" for European consumers against mass surveillance by the U.S. government. And advocacy group European Digital Rights said the "sham" pact is doomed to fail.
Miriam Wugmeister, a privacy and data security lawyer at law firm Morrison & Foerster, said the groups making the criticisms are not taking everything they should into account. They see Privacy Shield, and Safe Harbor before it, as "self-regulatory," without real implications for violations. That couldn't be further from the truth, Wugmeister said. Companies that registered for Safe Harbor, for example, "really, actually developed compliance programs." And the Federal Trade Commission, enlisted to enforce Privacy Shield, takes things like this very seriously.
"This is something that is not understood particularly by Europeans," Wugmeister said. "The way in which we have regulation in the U.S. is if you publically declare something and don't do it, the FTC comes after you. It's public declaration backed by enforcement."
'An ongoing process'
And enforcement is key, said Enza Iannopollo, an analyst at Forrester Research.
"If this is going to be a successful framework in terms of protecting customer data, it will depend on the ability of the authority to enforce this," Iannopollo said, "which at the end of the day is really what is going to determine the effectiveness of the framework."
EU regulators approved the data transfer agreement on Tuesday and will not legally challenge it for at least a year, though activists or Europe's data protection authorities could file complaints in the meantime. But right now, Iannopollo said, it's good to have an agreement replacing months of uncertainty and confusion among companies over how to legally move data across the Atlantic.
"Privacy is something that is a continuous evolution," she said. "It's an ongoing process."
The CIO's role in bearing the EU-U.S. Privacy Shield
The February beginnings of the data transfer agreement
Uncertainty survives as Privacy Shield gets greenlight