Perhaps it’s a sign of the times that “not terrible” news out of the EU might be seen as good news! If so, we should be delighted with the fact that on July 9, 2016 the Article 31 party issued a positive opinion with respect to the EU-US Data Shield, thereby clearing the way for the EU commission to adopt the compact. The expectation is now that the EU and the US, through their authorized representatives, will meet very soon to actually sign the document creating a new privacy protocol for the transmission of data from the EU to the US and establishing new standards of privacy to which US companies seeking protection of the Shield may ascribe. We have previously written about some of the aspects of the Data Shield but now that it is on the verge of formal adoption, survey professionals should look carefully at how they are handling, securing, protecting and indeed transmitting personally identifiable data. More on that in a moment.
The news wasn’t completely good however. Of all of the individual nations represented in the Article 31 Working Party, it was reported that four abstained from voting. I’m guessing that one of them was the UK (and we’ll get to UK in this post too). Who were the others? We don’t know, but the point is that not all privacy regulators were happy with the particulars of the new protocol; they were willing, apparently, to let it move forward, but not willing to officially sign on. That probably means a couple of things: first, that there will be some “adjustments” as implementation moves forward; and second, that US companies should consider themselves to be on their “best behavior”, meaning that the extent to which the Data Shield is a success may well depend on how seriously organizations in the US take it. If it is seen as something to which companies give lip service without too much more (a major complaint around the “Safe Harbor”), we may find ourselves back where we started. And that would not be good news!
Now as to the UK. Brexit, from the point of view of privacy regulation, is not such good news. At some point in time- and this is far from determined- the UK will assumedly invoke its right under the Lisbon treaty to remove itself from the EU. In effect, the UK will then be in the same position as the US in terms of the transmission of personal information from the EU. Of course, one imagines that, unless the UK significantly alters its privacy laws, it ought to be able to obtain a “determination of adequacy” (which is something the US has not been able to do) and thereby establish a legal basis for transmission of personal information. But there is a lot of room for speculation and perhaps even doubt on that score.
Moreover, Brexit will mean that privacy regulators in the EU will no longer have the moderating influence of the UK to balance some of the more aggressive tendencies of other countries. So the UK decision to leave the EU is something of a double whammy for privacy practitioners.
What will the Data Shield require and how will it work? We know much of it but not all of it. In the coming weeks, we’ll see the final version and be able to fill in some blanks.
Would you like to get an in depth briefing of how the Data Shield will work and how it relates to the survey industry? Let us know by sending a note to firstname.lastname@example.org. We’re going to put together a briefing in the fall and we’ll love to get a sense of who and where the possible audience is.
But, for now, lets stay focused on the positive. The Data Shield is about to become the standard for privacy practices between the EU and the US. Feel free to breath a sigh of relief. While it may not be perfect and there will a lot of work for all of us in the survey industry to make sure our policies and practices are up to the new standards, the alternative to approval was decidedly bad for everyone. Whew.