Safe Harbour, Privacy Shield, and the ongoing fight for secure data exchange

On Wednesday 13th April 2016, it was back to the drawing board for the EU commission and the US government regarding data privacy.

The Article 29 Data Protection Working Party recommended that further changes be made to the Privacy Shield agreement (the temporary replacement for the historic Safe Harbour agreement), before being viewed as fully adequate under EU data protection laws. These recommendations were later supported by Mr. Buttarelli, the European Data Protection Supervisor (EDPS), who recently stated that Privacy Shield as it stood was not robust enough to withstand future legal scrutiny. Furthermore, Article 31 Committee (composed of representatives of all EU Member States with voting powers) failed to reach an agreement on the Privacy Shield, requiring additional time. Now, the European Commission has just signed a landmark agreement with the US in its quest to legitimise the transatlantic flow of European Union citizen’s personal information in the context of criminal investigations.

It would seem that the future of secure data exchange has never been so uncertain. Ensuring respect of EU citizens’ human rights and compliance with EU data protection laws and principles remains at the heart of the Article 29 Data Protection Working Party, EDPS and Article 31 Committee’s agenda, and are indeed the lifeblood of reaching a new pragmatic solution for both sides of the Atlantic.

But what next? Will we see even more in the way of political debates and intensified efforts from the EU Commission to close the loophole? Or will we remain in this uncertain state between regulations for months to come? What is profoundly clear, is that data has well and truly become the ‘new oil’ today – as termed by Anna Winblad, Investor and senior partner at Hummer-Winblad. The key is to find that mutually beneficial solution that protects this ever - precious commodity for continued ‘digital prosperity’.

Data in ‘Industry ‘4.0’

Recent Constellation Research found that 52 percent of Fortune 500 companies have gone bankrupt, been acquired or ceased to exist since 2000. Examples of those who were too slow to adapt to ‘pace of digital’ dominate the technology landscape, including a huge portion of 'dot-com' start-ups, a variety and perhaps the most famously cited example of Blockbuster video. With each passing day, we have more data, more connections, more processes happening out of eyesight in the backend. Furthermore, the interactions we have with technology are increasingly more sophisticated.

On a global level, according to a 2014 Congressional Research Service study, cross - border data flows between Europe and the USA are the highest in the world today – totaling almost twice as much data as moves between Latin America and the USA, and 50 per cent higher than data exchange between Asia and the USA. It therefore stands to reason that a permanent replacement for the Safe Harbour agreement must be agreed upon swiftly in the interest of global economic growth, and so that businesses can remain competitive in today’s Fourth Industrial Revolution.

Binding Corporate Rules (BCRs) – operating with confidence

With this push to remain competitive, many businesses would be forgiven for asking how this is the case as new data legislation is yet to be ratified. Many companies throughout the world are unaware of Binding Corporate Rules (BCRs) accreditation and how it can enable legal and safe data exchange between continents. The BCRs represent the most comprehensive global data protection and privacy framework in the world, whilst also being in compliance with the most rigorous EU laws. With this recognition, companies who obtain BCR accreditation are permitted to transfer personal data outside of the EU in a secure manner and in accordance with local laws and regulations.

BCRs remain by far the only tool which requires a complete change of DNA in terms of how a company as a group handles its own and its customers’ personal data. Considering the current environment of scepticism, it is the only way forward to drive up levels of confidence and compliance for businesses across both sides of the Atlantic. With BCRs, customers can come to US businesses, safe in the knowledge that their data will be protected and safeguarded in compliance with EU laws. At BMC, we anticipated the end of Safe Harbour early and worked to receive BCR accreditation ahead of time as both a data controller and data processor.

What next?

There will be more negotiations, discussions and debates around the revision to the Safe Harbour agreement in the months ahead. What remains clear is that businesses across the US will have to innovate and comply to experience ongoing growth and to create a culture of trust amongst EU citizens. Moreover, businesses all over the world will continually have to rethink how they protect and harness data to keep customers, employees and citizens protected in our Fourth Industrial Revolution.

Elodie Dowling, VP, EMEA General Counsel at BMC Software

Image Credit: FreshStock / Shutterstock