2 February 2016 became the day of reckoning for U.S. businesses. On that day, EU and U.S. successfully came to an agreement on adopting a new instrument to facilitate transatlantic data transfer. Dubbed “EU-U.S. Privacy Shield” this time around, it is primarily a political agreement.
Let us rewind the clock to recollect what led to this. Last year a ruling by a European court dismantled the existing ‘EU- U.S. Safe Harbour’ mechanism which, for a long time, enabled data transfer between EU and U.S. The European court concluded that the ‘EU-U.S. Safe Harbour’ as a data transfer instrument was not robust enough in the current age of hyper-digitalization, mobility and cloud computing for secure data transfers between EU and U.S., and held it invalid. This implied that a new solution had to developed quickly without which U.S. would join Third World Countries as far as data protection goes, i.e. not fit for business considering data protection as a lever. It would also imply either greater data protection liabilities translating to a hefty cost for U.S. businesses or withdrawal of business from the European geography.
Subsequent to the political agreement, the European Commission released the text of the new EU-U.S. Privacy Shield on 29 February 2016 which was developed in conjunction with the U.S. authorities. The framework consists of the following critical elements, but not limited to, a draft adequacy decision (which confirms that the agreement meets EU requirements for data transfer), privacy shield principles, written commitment from U.S. Government and communication by EU commission on functioning of ‘EU- U.S. Safe Harbour’
So what is next for U.S. businesses? As of now it is a wait-and-watch situation.
The “EU-U.S. Privacy Shield” will need to go through a “Comitology” procedure (a process used to revise or adjust laws within EU) before it is adopted in Europe. This involves the following steps:
- Non-binding opinion from the Art. 29 Working Party (which comprises representatives from the data protection authorities of all EU members)
- Binding opinion from the qualified majority of the Art. 31 Committee (composed of EU Member State representatives)
- The adoption of the adequacy decision by EU College of Commissioners
The EU Commission is targeting the formal adoption of Privacy Shield by June 2016 assuming the comitology procedure goes as expected.
It is however highly unlikely that EU-U.S. Privacy Shield will see the light of day within this deadline, given that the EU is constantly grappling with complex data protection issues. While organizations wait for it to come in force, they can put in place robust alternate legal mechanisms, namely EU Model Clauses or Binding Corporate Rules, which enable EU data transfer to U.S..
The impact of the “EU-U.S. Privacy Shield” is that U.S. organizations are now taking their global data transfer strategy seriously and are reviewing them from the perspective of IT networks and systems functioning. EU data protection authorities are sure to pay keen attention to the extent to which U.S. organizations focus on this issue, an issue they have so far ignored.
Once this Shield is adopted, as many U.S. organizations will be interested in recertifying themselves, they will need to get ready to comply with its conditions. Additionally, this may also result in U.S companies increasing their resources, people and technology, on data protection measures as well as the oversight of the privacy ecosystem inside the organization.
Organizations will also need to plan and prepare for complying with the General Data Protection Regulation, a unified data protection law within EU that is currently under development, which is expected to pose a significant challenge once it is made effective in 2018.
Going forward, the spotlight will be on the U.S. companies seeking to achieve effective compliance with the principles of the EU-U.S. Privacy Shield (if it is adopted) and other applicable EU data protection laws. So sit back and hold tight for the next key development in the saga of ‘EU-U.S. Privacy Shield’.