You cannot make this up. The ODNI (Office of the Director of National Intelligence), an Act of Congress and a European Commission special “working group” known as Article 29 are all involved. Blame it on Edward Snowden. The Europeans are “concerned” (meaning: terrified) about the privacy protections surrounding any of their data stored in the US.
What are we talking about? Facebook, Google, Amazon and many more B2C and B2B organizations collect customer’s data and often hold it in their cloud platforms in the US. If your firm works with anyone in the EU and you use the cloud you need to be aware of the major change that has taken place in just the last six months or so. You could be legally liable and suffer penalties for not following these new regulations.
A little back ground – until October of 2015 the relationship between the US and EU around privacy protection of EU citizens data stored in the US was governed by something set up in 2000 called Safe Harbor. It was basically a self-policing agreement that stipulated any US company who collected data from EU citizens needed to:
- Inform them their data was being gathered,
- Tell them what would be done with it,
- Obtain permission to pass on the information to a third party,
- Allow EU citizens access to the data gathered,
- Ensure data integrity and security and
- Provide a way to enforce compliance.
But then came the revelations of Snowden. The Europeans were antsy about American Intelligence’s ability to view their personal data but Snowden really drove them wild. A privacy activist named Max Schrems filed suit in the European Court of Justice against the Irish data protection authority based on the concerns he had about Facebook transferring his data from Ireland to the US.
The court ruled last October that Safe Harbor agreement was invalid under the EU’s rules. As you might guess there was immediately a great deal of confusion over what this meant to the various providers and consumers. There was also a recognition that it would be in all parties’ best interest to create a replacement that would meet the EU restrictions. Hence, SHEILD was born.
The EU-US Privacy Shield, commonly called “Shield”, was forged out of an EU and US set of consultations and changes of law on both sides. There were a few hair-raising moments when it appeared that all the needed steps might not be accomplished by the deadline imposed by the court. But, in the end, they were and when you look back, it is amazing how fast governments can actually work.
The European Commission did all of the following:
- Reformed the EU Data protection rules, which apply to all companies providing services on the EU market,
- Passed the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers between the EU and U.S., and
- Established the Shield for commercial data exchange, which contains obligations on U.S. companies who handle personal data.
On its part The US Congress passed the Judicial Redress Act of 2015 and President Obama signed it. This has significant consequences for US based businesses because it means that EU citizens will have the right to obtain judicial redress in the US if American authorities mishandle their data.
So what are some of the consequences and differences from Safe Harbor?
- Safeguards related to intelligence activities will extend to all data transferred to the U.S., regardless of the transfer mechanism used.
- The Shield’s dispute resolution framework provides multiple avenues for individuals to lodge complaints, more than those available under the Safe Harbor and alternative transfer mechanisms such as Standard Contractual Clauses or Binding Corporate Rules.
- An organization’s compliance with the Privacy Shield will be directly and indirectly monitored by a wider array of authorities in the U.S. and the EU, possibly increasing regulatory risks and compliance costs for participating organizations.
- The Department of Commerce will significantly expand its role in monitoring and supervising compliance, including carrying out ex officio compliance reviews and investigations of participating organizations.
- Participating organizations will be subjected to additional compliance and reporting obligations, some of which will continue even after they withdraw from the Privacy Shield.
For the big cloud-based providers none of this represents a real burden but for medium and smaller firms you need to ensure your compliance even if your underlying cloud provider is one of the big boys like Amazon or Microsoft. As they always say: “Consult Your Attorney”.
So, what about the spooks? The EU is still worried that representations by the ODNI are not sufficient (“we don’t do bulk spying”) to assure protections. The bet is the European Commission will probably approve the Shield but the whole thing will still land up in court. Meanwhile, commerce continues to march on and hopefully we will see a complete resolution soon.