How strong is the EU-U.S. Privacy Shield?
Deal keeps trans-Atlantic data flowing, but details still to be worked out
By Eduard Goodman and Paul Keane, Special to ThirdCertainty
Editor’s note: When the European Court of Justice invalidated a 15-year-old Safe Harbor agreement last October, it tossed Google, Apple, Amazon and hundreds of small- and midsize U.S. companies that transact with European clientele into an ocean of uncertainty.
Last week, Europe and the United States announced a legal mechanism, called the EU-U.S. Privacy Shield, to facilitate the legal transfer of commercial data across the Atlantic. ThirdCertainty tapped Eduard Goodman, chief privacy officer at IDT911, and Paul Keane, European operations manager at IDT911, for their perspectives, sitting on opposite sides of the pond. Full disclosure: IDT911 sponsors ThirdCertainty.
The new framework for the transfer of personal data between the European Union and the United States is really the evolution of more than 15 years of established privacy regimes between the U.S. and the EU.
The EU-U.S. Privacy Shield protects the fundamental right of privacy of European citizens while providing legal certainty for the thousands of U.S.-based businesses that serve them.
Free resource: How to build customer loyalty by keeping data secure
This is a big step for the United States. It gives the EU assurances that the excesses of law enforcement and government surveillance will be subject to redress. National security access to EU data in the U.S. will have a redress mechanism available to impacted EU citizens, with more details to follow.
For specific complaints about a U.S. company, the redress will be fairly similar to the old Safe Harbor framework. The complaint is first to be attempted to be resolved by the company with the complainant. The Federal Trade Commission will work with EU Data Protection Authorities to ensure the resolution of any complaints in a timely manner. There also is an arbitration mechanism.
Interestingly, the redress mechanism will be administered in the U.S. by some form of ombudsman, much like Privacy Authorities at the federal and provincial levels by our neighbor to the north, Canada. This could mean that the U.S., at long last, actually could create come form of public-sector privacy czar, akin to the data and privacy protection officials long established in Canada and Europe.
A draft of the agreement will be published by the Europeans in a few weeks, with the U.S. side also having several weeks to begin next steps.
So in the end, what does it all mean? It means that we finally have a general agreement that will allow the continued exchange of data between the EU and the U.S. But it also means that the devil is in the details, and we all will be waiting to review the final version.
The EU-U.S. Privacy Shield is most certainly a welcome relief for businesses on either side of the pond, especially small and midsize companies. This announcement certainly eases the tension building up since last fall.
The powers that be, and the spin doctors who weave the headlines, knew an announcement had to be made this week before faith began to disintegrate and chaos ensued.
One could be forgiven for believing this is “deal done.” It is, in fact, far from it. Many details are still simmering with the whole deal awaiting detailed scrutiny on both sides. Still, many well-informed sources have expressed cautious optimism. Privacy Shield at the very least is a step in the right direction.
The rigid data laws of the past clearly were not workable in the modern era of ever-evolving technology. Consider that in 1995 mobile phones looked like walkie-talkies from a war movie; Yahoo Search was launched; and Google was still three years from being born.
Today, a 2-year-old can use an iPad to call their nanny (as mine did), and we can watch HD movies on our phones, while building a PowerPoint for the office meeting in the morning.
Technology advancements that rely on the free flow of data are ever evolving. Li-Fi leverages wireless optical networking technology to leapfrog Wi-Fi; AI (artificial intelligence) has gone mainstream in services like Siri and Google Now, with self-driving automobiles on the horizon; and mobile shopping and banking are converging with virtual reality innovations, like Google Cardboard.
Perhaps the most encouraging component of this agreement is that the powers that be allowed Privacy Shield the ability to evolve with time. This I find to be a major positive. But it will require us all to keep up.
For right now, grab yourself some popcorn, a comfy chair and your encrypted tablet, for there is more to come as the details emerge.