Privacy Ref Blog

New Rules for Moving Data Across the Pond

Does your US organization do business in Europe? If so, the rules for collecting and moving the personal data of EU citizens across borders and into the US are about to change. A new EU regulation is taking shape under a tight deadline and intense pressure that will force changes to some common practices in the digital age which are regarded very differently by the two regions.

What’s Changing?

On February 2, European Commission officials announced they had reached an agreement with US officials on new terms for transferring the digital data of European citizens across international borders to US corporations. Titled the EU-US Privacy Shield, the agreement will be the successor to the previous Safe Harbor data protection regulation that had been in place for 15 years. That regulation was invalidated by the European Union high court last October as being inadequate, following a law suit incited by revelations from Edward Snowden about US government surveillance practices.

The high court allowed just a short 3 months for a new deal to be worked out, placing in doubt the continued legality of companies like Google, Amazon and many, many other American firms continuing to move data they collect about EU citizens to servers in the US. Billions of dollars are at stake. The European Union generally has much stricter privacy laws regarding Personally Identifiable Information than are found in the US.

A few highlights of the new (as yet undocumented) agreement include the requirement for companies agreeing to the Privacy Shield to commit to and publish ‘robust obligations’ on how they collect and process personal data, and to guarantee protection of individual rights; the definition of a multi-layered approach for processing citizen grievances; and the creation of an ombudsman role within the US State Department to follow up on complaints about national security access to personal data of EU citizens.

What Are the Next Steps?

While an agreement in principle has been reached, the actual terms will need to be documented and then ratified by the 28 EU member state Data Protection Authorities. They are national leaders who oversee privacy practices in their countries. It remains to be seen if the Privacy Shield terms will pass muster with the DPAs, or if further legal challenges will result from citizens at large – some of whom, notably Max Shrems the original plaintiff in the Safe Harbor case, are already expressing skepticism about the new deal. The EU Commissioners did stress that the high court’s ruling from last October served as their benchmark for setting up the new terms so as to avoid any future issues.

What Should You Do?

The Privacy world will be watching closely as the regulation and any potential challenges evolve. If your company does collect personal data on EU citizens (employees or customers), you’ve undoubtedly been awaiting this news. Given the early stage of this accord, what can US companies do for now?

  1. Stay apprised of the agreement’s progress by checking the European Commission’s web site or engaging with us to keep on top of developments
  2. Raise awareness within your organization about this pending change and the need to be more privacy mindful in general
  3. Conduct a Privacy Impact Assessment of any existing or in-the-works systems that involve personal data of European Union citizens, so you will be prepared to make necessary adjustments once the EU-US Privacy Shield agreement is finalized

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 5, 2016 by Kathy Stershic


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

February 8, 2017

New On-Line Class Offering
Learn more about privacy program fundamentals with Bob Siegel and Privacy Ref. Find out more about this offering on our On-Line Classes Page.

Latest Blog Posts

January 17, 2017

Your Privacy Resolution
A new year usually means setting a goal to remodel that extra bedroom, cut out caffeine, or finally hit the gym for 30 minutes a day.  This year you have an even greater goal in mind, the improvement of your privacy program.  Here are some great ways to start you on your way to achieving just that. Continue reading this post...

Happy Data Privacy Day
(Note, this post first appeared in the Operational Privacy blog on CIO.com) Data Privacy Day (DPD), held every January 28 and coordinated by the National Cyber Security Alliance (NCSA), is an international effort highlighting “Respecting Privacy, Safeguarding Data and Enabling Trust." DPD provides an opportunity for you to re-enforce these themes within your organization to improve privacy awareness. The result is that you will increase your customer’s trust in your organization while reducing costs and liabilities due to human error while handling personal information. [Disclosure: My company, Privacy Ref Inc., is a sponsor of Data Privacy Day.] Continue reading this post...

Other Recent Posts

PRIVACY REF