It’s been a busy three months since the EU Court of Justice mortally wounded the “Safe Harbor” agreement in its now famous (or should I say infamous) Schrems decision.
Since then: the US congress is rapidly finishing its work to address significant issues raised in that decision (see: The US Judicial Redress Act and the USA Freedom Act restricting the scope of the US Patriot Act); the EU completed its work on the new “harmonized” General Data Protection Regulation; and, on February 2, 2016, the EU and US jointly announced that they had reached an agreement in principle to serve as a new mechanism for data transfers from the US to the EU…called the “EU-US Data Shield”. Impressive, no?
Looking at all this activity, one might think that, at the very least, we now have a clear, reliable framework for data transfers. And we do. Well, sort of. But, unfortunately, there is still a lot of uncertainty – and it mostly surrounds the new “Privacy Shield” and its implementation.
So, let’s take a look at the Privacy Shield and parse out what you need to know now. Think of it as your EU-US Data Shield “cheat sheet”.
Six Things You Should Know…
1. What is it?
As of this writing, the Data Shield is an agreement in principle that will – if and when fully implemented, serve as the legal basis for data transfers from the EU to the US. It does not itself make such transfers legal. It provides a pathway for organizations making transfers to do it lawfully. Think of the Data Shield as Safe Harbor, plus, and on steroids.
The “plus” refers to the obligation of the US to do two things. The first is to enact additional legislation clarifying that the restrictions on the NSA will apply to non-US sourced emails in the same way as US sourced emails. The second is to provide legislation specifically creating a useable remedial mechanism for unhappy Europeans who want to complain that their data was improperly processed or transferred. This last will be done through a number of legal tools, including arbitration and administrative action.
“On Steroids” refers to the added undertakings and assurances that organizations like ours will need to speak to in order to gain the benefit of the agreement. Stay tuned… but the good news here is that we already know at least directionally where they’re going with this because it is very likely to track the broad outline of the GDPR and we’ve been actively preparing for that for the last year. So we’re not in bad shape and can definitely run this race…. As soon as they show us where the track is.
2. Is this really a Done Deal?
Well sort of… It’s a done deal in the sense that the EU and the US have actually signed something (although we still haven’t actually seen it). However, it will not become effective until a few things happen. And to be blunt, these are not minor mechanical steps we’re talking about.
- First, the US has to actually enact that legislation. Did I mention that it’s an election year? Do you know how dysfunctional the US Congress is in a good year?
- Second, and just as daunting, the EU regulators have to review the final text of the agreement, the substance of what is being done (including the final text of the US legislation) and pronounce that it creates “essential equivalence.” This is a fancy phrase that simply stands for the proposition that the protections afforded to individuals under US laws are now reasonably equivalent to the protections afforded individuals under the EU law (and by EU law, I mean that fancy new GDPR law that no one has actually interpreted yet and has an full implementation date of 2 years hence).
- And just to make things even more interesting, there are “critics” among the EU regulatory reviewers already declaring that the Privacy Shield is a flop. Clear, so far?
3. How does it impact what you do as a survey professional?
You will absolutely want to be in compliance with the Data Shield. It works in much the same way as the Safe Harbor so, it will ultimately simply things in the sense that US companies that are able to comply with the terms of the privacy shield will be deemed to be in compliance with legal regulations and therefor may process data from the EU without special approvals or the use of other contractual modalities.
4. What is the time frame for compliance?
The full text of the agreement has not even been published yet… but the joint announcement talked about a three-month formalization process – this is wishful thinking but it’s probably safe to say that if it’s going to come to fruition, it will be sometime in 2016 (fingers crossed).
5. What happens to the “Safe Harbor”?
“Atlantis”. Really. Its sinking under the weight of the Schrems decision and will never be heard from again. Moreover, there is no clear pathway for the Safe Harbor participants to transition from the harbor to the shield. We may be starting from scratch. But we have the rudiments in place and it won’t be a big leap from there.
6. What do we do in the meantime?
Standard (Model) Contract Clauses are the only game in town, unless your organization happens to have approved Binding Corporate Rules in place (not likley). In fact, the EU regulators have declared that, for the time being, they continue to view these standard clauses as a valid, enforceable and lawful basis for data transfers.
So now you know exactly what to do when someone brings up this subject up or you need to manage data coming from the EU, right? Well, at least you have this fact sheet to refer to… and as always, I’m happy to discuss and to answer your questions.
Stay tuned for my next post … a romp through the GDPR. Or, how to “harmonize” even if you can’t carry a tune (I’ll explain).
Michael I. Meltzer is the General Counsel and the Data Privacy Officer of Sirota Consulting LLC. He is an attorney at law, admitted to the New York State Bar, a member of the Association of Corporate Counsel and of the International Association of Privacy Professionals. He may be contacted at firstname.lastname@example.org.