Privacy Ref Blog

New Rules for Moving Data Across the Pond

Does your US organization do business in Europe? If so, the rules for collecting and moving the personal data of EU citizens across borders and into the US are about to change. A new EU regulation is taking shape under a tight deadline and intense pressure that will force changes to some common practices in the digital age which are regarded very differently by the two regions.

What’s Changing?

On February 2, European Commission officials announced they had reached an agreement with US officials on new terms for transferring the digital data of European citizens across international borders to US corporations. Titled the EU-US Privacy Shield, the agreement will be the successor to the previous Safe Harbor data protection regulation that had been in place for 15 years. That regulation was invalidated by the European Union high court last October as being inadequate, following a law suit incited by revelations from Edward Snowden about US government surveillance practices.

The high court allowed just a short 3 months for a new deal to be worked out, placing in doubt the continued legality of companies like Google, Amazon and many, many other American firms continuing to move data they collect about EU citizens to servers in the US. Billions of dollars are at stake. The European Union generally has much stricter privacy laws regarding Personally Identifiable Information than are found in the US.

A few highlights of the new (as yet undocumented) agreement include the requirement for companies agreeing to the Privacy Shield to commit to and publish ‘robust obligations’ on how they collect and process personal data, and to guarantee protection of individual rights; the definition of a multi-layered approach for processing citizen grievances; and the creation of an ombudsman role within the US State Department to follow up on complaints about national security access to personal data of EU citizens.

What Are the Next Steps?

While an agreement in principle has been reached, the actual terms will need to be documented and then ratified by the 28 EU member state Data Protection Authorities. They are national leaders who oversee privacy practices in their countries. It remains to be seen if the Privacy Shield terms will pass muster with the DPAs, or if further legal challenges will result from citizens at large – some of whom, notably Max Shrems the original plaintiff in the Safe Harbor case, are already expressing skepticism about the new deal. The EU Commissioners did stress that the high court’s ruling from last October served as their benchmark for setting up the new terms so as to avoid any future issues.

What Should You Do?

The Privacy world will be watching closely as the regulation and any potential challenges evolve. If your company does collect personal data on EU citizens (employees or customers), you’ve undoubtedly been awaiting this news. Given the early stage of this accord, what can US companies do for now?

  1. Stay apprised of the agreement’s progress by checking the European Commission’s web site or engaging with us to keep on top of developments
  2. Raise awareness within your organization about this pending change and the need to be more privacy mindful in general
  3. Conduct a Privacy Impact Assessment of any existing or in-the-works systems that involve personal data of European Union citizens, so you will be prepared to make necessary adjustments once the EU-US Privacy Shield agreement is finalized

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Kathy Stershic


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

November 12, 2018

My path towards privacy
My path towards a career in the privacy field was a circuitous route. As a perennially engaged Political Organizer and activist, information privacy and data management would not have been the most obvious path for my next endeavor. However, after serving on a campaign that featured the most famous political data breach in history, privacy and the importance of data management came crashing into my life. Continue reading this post...

November 2, 2018

PSR and CCPA
A few weeks ago, I made it to Austin, TX for the Privacy Security and Risk Conference being held by the IAPP. As always, it was a great conference with pros and those who have only just begun as privacy professionals. One of the most interesting aspects of the conference was the focus on the newest US based privacy regulation, the California Consumer Protection Act. While not being in California, it was obviously the center of the conversation as many eyed this upcoming regulation as the next possible GDPR. Continue reading this post...

Other Recent Posts

PRIVACY REF