Privacy Ref Blog

New Rules for Moving Data Across the Pond

Does your US organization do business in Europe? If so, the rules for collecting and moving the personal data of EU citizens across borders and into the US are about to change. A new EU regulation is taking shape under a tight deadline and intense pressure that will force changes to some common practices in the digital age which are regarded very differently by the two regions.

What’s Changing?

On February 2, European Commission officials announced they had reached an agreement with US officials on new terms for transferring the digital data of European citizens across international borders to US corporations. Titled the EU-US Privacy Shield, the agreement will be the successor to the previous Safe Harbor data protection regulation that had been in place for 15 years. That regulation was invalidated by the European Union high court last October as being inadequate, following a law suit incited by revelations from Edward Snowden about US government surveillance practices.

The high court allowed just a short 3 months for a new deal to be worked out, placing in doubt the continued legality of companies like Google, Amazon and many, many other American firms continuing to move data they collect about EU citizens to servers in the US. Billions of dollars are at stake. The European Union generally has much stricter privacy laws regarding Personally Identifiable Information than are found in the US.

A few highlights of the new (as yet undocumented) agreement include the requirement for companies agreeing to the Privacy Shield to commit to and publish ‘robust obligations’ on how they collect and process personal data, and to guarantee protection of individual rights; the definition of a multi-layered approach for processing citizen grievances; and the creation of an ombudsman role within the US State Department to follow up on complaints about national security access to personal data of EU citizens.

What Are the Next Steps?

While an agreement in principle has been reached, the actual terms will need to be documented and then ratified by the 28 EU member state Data Protection Authorities. They are national leaders who oversee privacy practices in their countries. It remains to be seen if the Privacy Shield terms will pass muster with the DPAs, or if further legal challenges will result from citizens at large – some of whom, notably Max Shrems the original plaintiff in the Safe Harbor case, are already expressing skepticism about the new deal. The EU Commissioners did stress that the high court’s ruling from last October served as their benchmark for setting up the new terms so as to avoid any future issues.

What Should You Do?

The Privacy world will be watching closely as the regulation and any potential challenges evolve. If your company does collect personal data on EU citizens (employees or customers), you’ve undoubtedly been awaiting this news. Given the early stage of this accord, what can US companies do for now?

  1. Stay apprised of the agreement’s progress by checking the European Commission’s web site or engaging with us to keep on top of developments
  2. Raise awareness within your organization about this pending change and the need to be more privacy mindful in general
  3. Conduct a Privacy Impact Assessment of any existing or in-the-works systems that involve personal data of European Union citizens, so you will be prepared to make necessary adjustments once the EU-US Privacy Shield agreement is finalized

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Kathy Stershic


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

July 9, 2018

Don’t Forget Basic Communication
Most of us have been wrapped up in GDPR preparations for several months. While there are many organizations "not quite there yet", many others have made great strides towards compliance. As we continue to do assessments for clients, both GDPR and General Privacy,  I have been surprised at the frequency of the gap between a privacy official describing their organization's data subjects, information collected, and business processes  with the reality of what is happening. Continue reading this post...

California – The Next GDPR?
Starting January 1, 2020, if you are a for-profit company doing business in California, you may have new data privacy compliance obligations. Specifically, California just enacted the California Consumer Privacy Act of 2018 (the country’s strictest data privacy law to date), placing new privacy mandates on certain businesses with respect to the personal information of consumers (defined as natural persons who are California residents). Many aspects of the new law smack of EU-GDPR influences, such as a new and improved (in other words, broader) definition of personal information and the inclusion of guaranteed consumer rights with respect to such personal information. If your business is already in compliance with the EU’s GDPR, the California law will be nothing new to you. For other businesses, however, you have 18 months to get with the program. Continue reading this post...

Other Recent Posts

PRIVACY REF