How strong is the EU-U.S. Privacy Shield?

Deal keeps trans-Atlantic data flowing, but details still to be worked out

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Editor’s note: When the Euro­pean Court of Jus­tice inval­i­dat­ed a 15-year-old Safe Har­bor agree­ment last Octo­ber, it tossed Google, Apple, Ama­zon and hun­dreds of small- and mid­size U.S. com­pa­nies that trans­act with Euro­pean clien­tele into an ocean of uncer­tain­ty.

Last week, Europe and the Unit­ed States announced a legal mech­a­nism, called the EU-U.S. Pri­va­cy Shield, to facil­i­tate the legal trans­fer of com­mer­cial data across the Atlantic. Third­Cer­tain­ty tapped Eduard Good­man, chief pri­va­cy offi­cer at IDT911, and Paul Keane, Euro­pean oper­a­tions man­ag­er at IDT911, for their per­spec­tives, sit­ting on oppo­site sides of the pond. Full dis­clo­sure: IDT911 spon­sors ThirdCertainty.

Eduard Good­man

The new frame­work for the trans­fer of per­son­al data between the Euro­pean Union and the Unit­ed States is real­ly the evo­lu­tion of more than 15 years of estab­lished pri­va­cy regimes between the U.S. and the EU.

Eduard Goodman, IDT911 chief privacy officer
Eduard Good­man, IDT911 chief pri­va­cy officer

The EU-U.S. Pri­va­cy Shield pro­tects the fun­da­men­tal right of pri­va­cy of Euro­pean cit­i­zens while pro­vid­ing legal cer­tain­ty for the thou­sands of U.S.-based busi­ness­es that serve them.

Free resource: How to build cus­tomer loy­al­ty by keep­ing data secure

This is a big step for the Unit­ed States. It gives the EU assur­ances that the excess­es of law enforce­ment and gov­ern­ment sur­veil­lance will be sub­ject to redress. Nation­al secu­ri­ty access to EU data in the U.S. will have a redress mech­a­nism avail­able to impact­ed EU cit­i­zens, with more details to follow.

For spe­cif­ic com­plaints about a U.S. com­pa­ny, the redress will be fair­ly sim­i­lar to the old Safe Har­bor frame­work. The com­plaint is first to be attempt­ed to be resolved by the com­pa­ny with the com­plainant. The Fed­er­al Trade Com­mis­sion will work with EU Data Pro­tec­tion Author­i­ties to ensure the res­o­lu­tion of any com­plaints in a time­ly man­ner. There also is an arbi­tra­tion mechanism.

Inter­est­ing­ly, the redress mech­a­nism will be admin­is­tered in the U.S. by some form of ombuds­man, much like Pri­va­cy Author­i­ties at the fed­er­al and provin­cial lev­els by our neigh­bor to the north, Cana­da. This could mean that the U.S., at long last, actu­al­ly could cre­ate come form of pub­lic-sec­tor pri­va­cy czar, akin to the data and pri­va­cy pro­tec­tion offi­cials long estab­lished in Cana­da and Europe.

A draft of the agree­ment will be pub­lished by the Euro­peans in a few weeks, with the U.S. side also hav­ing sev­er­al weeks to begin next steps.

So in the end, what does it all mean? It means that we final­ly have a gen­er­al agree­ment that will allow the con­tin­ued exchange of data between the EU and the U.S. But it also means that the dev­il is in the details, and we all will be wait­ing to review the final version.

Paul Keane

The EU-U.S. Pri­va­cy Shield is most cer­tain­ly a wel­come relief for busi­ness­es on either side of the pond, espe­cial­ly small and mid­size com­pa­nies. This announce­ment cer­tain­ly eas­es the ten­sion build­ing up since last fall.

Paul Keane, IDT911 European operations manager
Paul Keane, IDT911 Euro­pean oper­a­tions manager

The pow­ers that be, and the spin doc­tors who weave the head­lines, knew an announce­ment had to be made this week before faith began to dis­in­te­grate and chaos ensued.

One could be for­giv­en for believ­ing this is “deal done.” It is, in fact, far from it. Many details are still sim­mer­ing with the whole deal await­ing detailed scruti­ny on both sides. Still, many well-informed sources have expressed cau­tious opti­mism. Pri­va­cy Shield at the very least is a step in the right direction.

The rigid data laws of the past clear­ly were not work­able in the mod­ern era of ever-evolv­ing tech­nol­o­gy. Con­sid­er that in 1995 mobile phones looked like walkie-talkies from a war movie; Yahoo Search was launched; and Google was still three years from being born.

Today, a 2-year-old can use an iPad to call their nan­ny (as mine did), and we can watch HD movies on our phones, while build­ing a Pow­er­Point for the office meet­ing in the morning.

Tech­nol­o­gy advance­ments that rely on the free flow of data are ever evolv­ing. Li-Fi lever­ages wire­less opti­cal net­work­ing tech­nol­o­gy to leapfrog Wi-Fi; AI (arti­fi­cial intel­li­gence) has gone main­stream in ser­vices like Siri and Google Now, with self-dri­ving auto­mo­biles on the hori­zon; and mobile shop­ping and bank­ing are con­verg­ing with vir­tu­al real­i­ty inno­va­tions, like Google Card­board.

Per­haps the most encour­ag­ing com­po­nent of this agree­ment is that the pow­ers that be allowed Pri­va­cy Shield the abil­i­ty to evolve with time. This I find to be a major pos­i­tive. But it will require us all to keep up.

For right now, grab your­self some pop­corn, a com­fy chair and your encrypt­ed tablet, for there is more to come as the details emerge.

More free resources:
Plan­ning ahead to reduce breach expenses
Putting effec­tive data risk man­age­ment with­in reach