Bruce Guptill, Jim Hurley
Research Alert Research Alerts
What is Happening?
Privacy Shield is the replacement for Safe Harbour, a legal agreement enabling companies operating in EU countries to transfer Personally Identifiable Information (PII) out of the EU. As of July 12, 2016, unless an enterprise is using the new Privacy Shield, or relying on the older Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC) for now, it is violating European law when it comes to transferring PII data to the US. In effect, parties self-certifying to Privacy Shield agree to Europe’s broader privacy principals, several new requirements, and to be bound to these European-centric data privacy principals governing PII, but through US law. Our position: Privacy Shield will certainly help address many data protection concerns – but it is not (yet) going to solve all of the important issues. The new EU-U.S. Privacy Shield program reflects the European Court of Justice’s ruling declaring the old Safe Harbour framework invalid in 2015. Under the requirements of Privacy Shield, global businesses transferring PII from Europe to the US have several new requirements, including:
- Privacy policies. Publishing privacy policies governing PII, including rights of individuals to access their own PII
- Government access to PII. Explaining rights to PII by law enforcement and legal jurisdictions governing PII
- Explaining liability for data controllers and data processors in cases of onward transfer of PII to third parties
- Dispute responses. Free and accessible dispute resolution requiring responses within 45 days at no cost to individuals
- Dispute resolution. Agreeing to resolve disputes through the US Department of Commerce (DOC) and with individual EU Data Protection Authorities (DPAs) within 90 days
- Binding arbitration. Agreeing to binding arbitration for unresolved disputes
- Annual recertification/fees.
As of today, about one month into the new Privacy Shield, only about 40 US-based companies are cited as being self-certified, including tech titans Microsoft and Salesforce. Other IT Master Brands, Apple, Google, and Facebook, have said they will comply and a total of 240 US companies are in the certification queue. It took about 16 years, from 2000 through 2016, for Safe Harbour to cover more than 4,000 companies.
Why is it Happening?
Privacy Shield came to be because the prior agreement – Safe Harbour – was ruled inadequate by a European court. The details can be found in many places online; the net effect was that data transfer between US-based and EU-based businesses faced a potentially chilling future full of country-by-country, industry-by-industry data privacy regulations (and lawsuits).
According to the European court that decided against it, Safe Harbour never met the core principals of the EU Data Privacy Commission legislation, which include:
- No provisions to limit government interference with its protections
- No provisions for individuals to access data about them, to have such data erased or amended
- No provisions for national supervisory authorities – Europe’s Data Protection Authorities (DPAs) – from exercising their legal rights
The Court ruling negating Safe Harbor also encouraged Europe’s DPAs to rule against and fine businesses that are transferring PII data to the US from EU member States. Such punitive actions are already commencing. The first is a ruling in Hamburg, Germany where Adobe, PepsiCo, and Unilever were fined 8,000, 9,000, and 11,000 Euros respectively for failing to set up alternative legal channels for the cross-border flow of PII post- Safe Harbour. It is yet to be seen how, or if, Privacy Shield adoption will affect such actions.
Furthermore, it is not clear whether the more complex, but often used, BCR and SCC mechanisms will survive. The European Commission evaluating BCR and SCC has come up with four main points it does not believe BCR nor SCC comply with, as follows:
- The processing / handling of PII data
- Surveillance activities by governments
- Independent oversight mechanisms
- Effective remedies for individuals
Net Impact
The limbo for BCR and SCC means we expect more global businesses, in and out of the US, will sign onto Privacy Shield. Tech companies have welcomed the new deal, saying that it protects user privacy while allowing for trans-Atlantic trade.
However, the influential Working Party 29 (WP29) body — which is made up of the heads of the various Member States’ data protection agencies – remains critical of not only BCR and SCC, but also of Privacy Shield, despite what it sees as some improvements over Safe Harbour. In a statement late last month, the WP29 said it remains concerned about various commercial aspects of the framework, flagging the lack of specific rules on automated decisions and of a general right to object as problems, a lack of clarity about how Privacy Shield Principles apply to data processors, and concern about access by public authorities to data transferred to the U.S. under Privacy Shield. And Privacy International, a London-based watchdog, expressed concerns over the new deal after a leaked version was published online. We expect more challenges and potentially legal challenges within the next 12 months, possibly within the next 6 months.
In the meantime, the framework is in place, and it does offer a working basis for the cross-border flow of PII.
New and more liberal privacy regimes such as those within the Trans-Pacific Partnership (TPP), and the proposed Transatlantic Trade and Investment Partnership (T-TIP), could result in faster economic growth outside the borders of the EU, which could pressure the WP29 working group to rein in attempts to scuttle Privacy Shield.
In addition to keeping clients up to date on the latest data security and privacy developments, we are advising on the most likely business and IT management effects and costs, including such questions as:
- Will Privacy Shield change the siting of data centers in or outside of Europe?
- Will new laws encourage competing alternatives?
- What commercial behavioral – and economic impacts – will the new law stimulate?
Data flows between the continents are essential to our societies and economies – we are in this together after all – and Privacy Shield now provides a robust framework ensuring these transfers take place using proscribed legal channels. Without such an agreement, thousands of companies of all types and sizes – in both Europe and the United States – will face widespread uncertainty and serious impacts to their operations and their ability to conduct business across the Atlantic.
This Research Alert was originally published by ISG Insights, our ongoing globally-focused premium subscription research service. To learn more about ISG Insights, go to http://insights.isg-one.com where you can register for a Research ID that will provide access to some of our complementary content.