Privacy Ref Blog

New Rules for Moving Data Across the Pond

Does your US organization do business in Europe? If so, the rules for collecting and moving the personal data of EU citizens across borders and into the US are about to change. A new EU regulation is taking shape under a tight deadline and intense pressure that will force changes to some common practices in the digital age which are regarded very differently by the two regions.

What’s Changing?

On February 2, European Commission officials announced they had reached an agreement with US officials on new terms for transferring the digital data of European citizens across international borders to US corporations. Titled the EU-US Privacy Shield, the agreement will be the successor to the previous Safe Harbor data protection regulation that had been in place for 15 years. That regulation was invalidated by the European Union high court last October as being inadequate, following a law suit incited by revelations from Edward Snowden about US government surveillance practices.

The high court allowed just a short 3 months for a new deal to be worked out, placing in doubt the continued legality of companies like Google, Amazon and many, many other American firms continuing to move data they collect about EU citizens to servers in the US. Billions of dollars are at stake. The European Union generally has much stricter privacy laws regarding Personally Identifiable Information than are found in the US.

A few highlights of the new (as yet undocumented) agreement include the requirement for companies agreeing to the Privacy Shield to commit to and publish ‘robust obligations’ on how they collect and process personal data, and to guarantee protection of individual rights; the definition of a multi-layered approach for processing citizen grievances; and the creation of an ombudsman role within the US State Department to follow up on complaints about national security access to personal data of EU citizens.

What Are the Next Steps?

While an agreement in principle has been reached, the actual terms will need to be documented and then ratified by the 28 EU member state Data Protection Authorities. They are national leaders who oversee privacy practices in their countries. It remains to be seen if the Privacy Shield terms will pass muster with the DPAs, or if further legal challenges will result from citizens at large – some of whom, notably Max Shrems the original plaintiff in the Safe Harbor case, are already expressing skepticism about the new deal. The EU Commissioners did stress that the high court’s ruling from last October served as their benchmark for setting up the new terms so as to avoid any future issues.

What Should You Do?

The Privacy world will be watching closely as the regulation and any potential challenges evolve. If your company does collect personal data on EU citizens (employees or customers), you’ve undoubtedly been awaiting this news. Given the early stage of this accord, what can US companies do for now?

  1. Stay apprised of the agreement’s progress by checking the European Commission’s web site or engaging with us to keep on top of developments
  2. Raise awareness within your organization about this pending change and the need to be more privacy mindful in general
  3. Conduct a Privacy Impact Assessment of any existing or in-the-works systems that involve personal data of European Union citizens, so you will be prepared to make necessary adjustments once the EU-US Privacy Shield agreement is finalized

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Kathy Stershic


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

February 1, 2019

In praise of a privacy compliance program

Opening my newsfeed this morning I was not surprised to find an article about another data breach. Over the coming days I am sure we will discover that the organization's policies were well defined, that training and awareness had taken place, and it was just that the procedures weren't followed by one individual. The skeptic in me would say that if one person isn't following procedures, there are probably others. To prevent situations like these, an organization must establish a privacy compliance regimen. Continue reading this post...

December 19, 2018

Political Campaigns Need Privacy Policies and Training
When I made the transition from working in American Politics to learning about Privacy, the first tidbit of information I was given was that there was a difference in terminology between the American  and the European practice. In America, we use the term Privacy but in Europe they use the term Data Protection. As I continued my journey in “Privacy” and I considered how my new-found training would have impacted my career in politics, I have come to feel that the term data protection is more applicable to the needs of political campaigns. If I were to review the numerous political campaigns that I have managed, marketed, and organized, data protection has always been woefully inadequate throughout them all. Continue reading this post...

Other Recent Posts

PRIVACY REF