Every day it seems we read about yet another unfortunate high-profile data loss incident. While the federal government has been relatively silent in enacting any new comprehensive set of data privacy laws on its own, there have been significant developments in the European Union over the past six months. This activity will impact organizations with access to EU-centric data and/or have a need to transfer data from the EU to the United States.
Traditionally, the EU has viewed the right to privacy as a fundamental human right. This concept is reflected in these three recent major developments: (1) the invalidation of the U.S.-EU Safe Harbor program; (2) the announcement of the new EU-U.S. Privacy Shield; and (3) the approval of the new EU General Data Protection Regulation.
Safe Harbor invalidation
Back in 2000, the U.S. Department of Commerce, in consultation with the European Commission, created a “safe harbor” framework, which was a mechanism for U.S. organizations to self-certify and satisfy the adequacy standard for data privacy protection in the EC’s 1995 Data Protection Directive.
But last Oct. 6, the EU’s highest court, the European Court of Justice, declared the U.S.-EU Safe Harbor program invalid, meaning all transfers of personal data from the EU to the U.S. based solely on the Safe Harbor program are now invalid as well. More than 4,000 U.S. organizations relied on the Safe Harbor program. However, transfers based on other grounds, such as the EU Model Clauses, remain legitimate.
The court of justice made its determination in a case brought by Max Schrems, an Austrian privacy advocate, who filed a complaint in 2013 with the Irish Data Protection Authority about Facebook’s use of the Safe Harbor program to transfer his personal data to the U.S. The court concluded the Safe Harbor program itself is invalid because the U.S. does not ensure an adequate level of protection for European data through U.S. authorities’ allegedly indiscriminate collection of electronic communications and due to the lack of judicial redress for European data subjects in U.S. courts.
EU-U.S. Privacy Shield
The invalidation of the Safe Harbor program sent shock waves through the U.S. business community. In the aftermath of the court of justice’s decision to invalidate the Safe Harbor program, the Article 29 Working Party — a highly influential EU privacy regulator composed of data protection authorities from each EU member state — essentially imposed an end of January 2016 deadline for EU and U.S. authorities to develop a workable solution as a successor to the Safe Harbor program.
On Feb. 2, the EC announced the EU and U.S. governments had agreed on a new mechanism to enable the transfer of personal data from Europe to the U.S. called the EU-U.S. Privacy Shield, which effectively replaces the Safe Harbor program.
While the full details of the Privacy Shield were not disclosed during the Feb. 2 announcement, the EC published the complete Privacy Shield framework on Feb. 29.
The EC Privacy Shield fact sheet states: “The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including through increased cooperation with European (d)ata (p)rotection (a)uthorities.” Additional EU regulatory approval for the Privacy Shield is still required, and the Article 29 Working Party will provide an opinion on the Privacy Shield this month.
General data protection regulation
After a long journey to reform existing EU data protection laws, an agreement on the terms of the protection regulation agreement was reached between the EC, the European Parliament and the Council of the EU on Dec. 15. While this agreement still requires the official validation by the European Parliament and the Council of the EU, it is expected the agreement will become effective sometime during 2018.
The general data agreement will replace the 1995 Data Protection Directive. Here are just a few key aspects:
- Strong enforcement. Organizations are subject to fines up to 4 percent of their annual revenue for violations;
- Wide applicability to organizations that have access to EU citizen data and may not be EU-based;
- Potential notification of a data breach within 72 hours of discovery;
- Establishment of a “right to be forgotten”;
- A need in many organizations to appoint a data-protection officer.
Be sure to enlist the active support of privacy specialists to help your organization navigate through this changing data privacy landscape. And if technology providers have access to your data, be sure to only work with providers you can truly trust.