Privacy Ref Blog

New Rules for Moving Data Across the Pond

Does your US organization do business in Europe? If so, the rules for collecting and moving the personal data of EU citizens across borders and into the US are about to change. A new EU regulation is taking shape under a tight deadline and intense pressure that will force changes to some common practices in the digital age which are regarded very differently by the two regions.

What’s Changing?

On February 2, European Commission officials announced they had reached an agreement with US officials on new terms for transferring the digital data of European citizens across international borders to US corporations. Titled the EU-US Privacy Shield, the agreement will be the successor to the previous Safe Harbor data protection regulation that had been in place for 15 years. That regulation was invalidated by the European Union high court last October as being inadequate, following a law suit incited by revelations from Edward Snowden about US government surveillance practices.

The high court allowed just a short 3 months for a new deal to be worked out, placing in doubt the continued legality of companies like Google, Amazon and many, many other American firms continuing to move data they collect about EU citizens to servers in the US. Billions of dollars are at stake. The European Union generally has much stricter privacy laws regarding Personally Identifiable Information than are found in the US.

A few highlights of the new (as yet undocumented) agreement include the requirement for companies agreeing to the Privacy Shield to commit to and publish ‘robust obligations’ on how they collect and process personal data, and to guarantee protection of individual rights; the definition of a multi-layered approach for processing citizen grievances; and the creation of an ombudsman role within the US State Department to follow up on complaints about national security access to personal data of EU citizens.

What Are the Next Steps?

While an agreement in principle has been reached, the actual terms will need to be documented and then ratified by the 28 EU member state Data Protection Authorities. They are national leaders who oversee privacy practices in their countries. It remains to be seen if the Privacy Shield terms will pass muster with the DPAs, or if further legal challenges will result from citizens at large – some of whom, notably Max Shrems the original plaintiff in the Safe Harbor case, are already expressing skepticism about the new deal. The EU Commissioners did stress that the high court’s ruling from last October served as their benchmark for setting up the new terms so as to avoid any future issues.

What Should You Do?

The Privacy world will be watching closely as the regulation and any potential challenges evolve. If your company does collect personal data on EU citizens (employees or customers), you’ve undoubtedly been awaiting this news. Given the early stage of this accord, what can US companies do for now?

  1. Stay apprised of the agreement’s progress by checking the European Commission’s web site or engaging with us to keep on top of developments
  2. Raise awareness within your organization about this pending change and the need to be more privacy mindful in general
  3. Conduct a Privacy Impact Assessment of any existing or in-the-works systems that involve personal data of European Union citizens, so you will be prepared to make necessary adjustments once the EU-US Privacy Shield agreement is finalized

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Kathy Stershic


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

June 9, 2016

Are you “cyber” prepared? Maintaining the Financial Stability of Your Firm One GB at a Time
Join us for an engaging discussion and learn more about “The difference between Security & Privacy Programs” with Bob Siegel, Founder and President of Privacy Ref, Inc. Learn More

Latest Blog Posts

May 25, 2016

Playing the Privacy Metagame
If you attended our most recent quarterly data breach review, you probably heard a new term: “metagame.”  The idea, put in its simplest form, is to take information from outside a scenario and use it to influence your choices.  It is amazing how using information that is not necessarily inside your environment can allow you to adjust and prepare for a lot of scenarios.  This in turn keeps you ahead of the game. Continue reading this post...

May 24, 2016

What is the difference between privacy and security?
One question that I am frequently asked is “what is the difference between privacy and security?” It sounds simple enough, but the response often gets complicated. Maybe an analogy will help. Continue reading this post...

Other Recent Posts

PRIVACY REF