As of August 1, 2016, U.S. companies will be able to certify their compliance with the new EU privacy shield agreement — a set of principles established by the EU and the U.S. government overseeing the transfer of personal data of European citizens to the U.S. It replaces the former safe harbor agreement, which was deemed invalid after the courts ruled that it provided insufficient guarantees of protection for individuals and their personal data.
The EU privacy shield agreement aims to provide these guarantees, ensuring that personal data transferred from the EU to the U.S. for processing has sufficient levels of privacy protection over and above those required under U.S. law, whose data protection standards are perceived by some to be lacking.
Alternatives to this agreement exist through the binding of corporate rules or standard contractual clauses, which are intra-corporate policies that lay out a set of practices, processes and guidelines that satisfy the data transfer standards required by the EU. But the problem with both of these mechanisms is that they need to be drawn up on a case-by-case basis, which generally takes six to nine months.
The EU privacy shield, like the preceding safe harbor agreement, aims to simplify the process of transferring data with adequate protections in place.
Fear of Mass Surveillance
One of the main reasons that the safe harbor agreement was shot down was fear of mass surveillance by U.S. authorities following information revealed in documents leaked by whistleblower Edward Snowden. The new privacy shield agreement requires that organizations self-certify that they meet the data protection standards required by the EU, which the U.S. Department of Commerce must review regularly. The U.S. government has given assurances regarding limitations on how law enforcement and federal agencies can use data collected, with bulk collection only permitted under specific circumstances and in as targeted a manner as possible. The privacy shield agreement also provides rights of redress to EU citizens who feel that their data has been used in an inappropriate manner, with disputes handled by an independent ombudsman in the U.S.
Multinational companies have welcomed the establishment of the privacy shield agreement, as it enables them to carry on their core businesses without undue hindrance, as long as the required higher standards of data protection are adhered to.
However, concerns remain over the adequacy of the new agreement and four EU member states have abstained from giving their agreement. Privacy advocates question whether the new agreement will have any meaningful impact on consumer privacy, stating that it can easily be undermined.
While the EU privacy shield is likely to be adopted within the stated time frame, its future remains uncertain, with some suggesting that it’s likely to be challenged by the courts because of the holes that remain to be filled.
The U.S. government is increasingly focused on cybersecurity after major security breaches in 2015. Learn more about what government agencies are doing to improve security here.