Oct. 6, 2015, marked the day that the European Court of Justice declared the fundamental data transfer and privacy protection rules of the Safe Harbor agreement invalid. Since that day, the European Union and the United States have been in talks to create a new framework that will satisfy European privacy regulations and permit European data to be transferred back and forth legally between nations. They are calling this new framework the “Privacy Shield.” In a Feb. 2, 2016, news release, Commissioner Vera Jourová, who represents the EU, said, "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies.”
There have been a series of discussions between the EU and the U.S., and many feel strong improvements have been provided in the new Privacy Shield framework. However, some European authorities have raised concerns about parts of the European Commission’s draft adequacy decision on the framework. Under the negotiated framework, U.S. multinational organizations will face a series of challenges to step up privacy and data protection to comply with EU privacy laws. Those challenges may be greater if the commission makes the framework revisions suggested by the Article 29 Working Party (WP29), the European Parliament, and the European Data Protection Supervisor (EDPS).
The Privacy Shield contains many of the same components as its Safe Harbor predecessor. It contains principles that organizations must follow and involves a self-certification process requiring organizations to be registered with the U.S. Department of Commerce (DOC), as well as the publication of a Privacy Shield compliance list on the DOC website. Following are some key areas in which the Privacy Shield takes matters one step further, yet not far enough for some European authorities.
Because Europe maintains stricter privacy regulations than the United States, many businesses now find their hands tied when handling data managed under the defunct Safe Harbor agreement. Currently without any sort of agreement in place, many U.S.-based companies are stuck between a rock and a hard place trying to figure out how to maintain business as usual while not breaking any laws or invoking fines from the Federal Trade Commission. As a Feb. 25, 2016, article in Fortune states, some organizations are already facing the consequences: “According to [Hamburg] media, the Hamburg data protection authority is preparing to fine three companies for relying on Safe Harbor as the legal basis for their transatlantic data transfers. Two other firms are also under investigation.”
While organizations in the U.S. await the European Commission’s response to calls for improvements to be made to the Privacy Shield framework and for the newly revised text to be ratified, model clauses and binding corporate contracts are the interim solution in the absence of Safe Harbor. However, there has been speculation that EU privacy regulators may also call into question the legality of these agreements. Organizations should continue to monitor the EU privacy landscape diligently and with the assistance of their general counsel.
How is your organization handling the transfer of EU citizen data during this interim period?
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.