Safe Harbour is dead. That came as welcome news to privacy rights activists, but sent shockwaves across organisations in Europe and the USA. There was undoubtedly some relief when we saw the ‘Privacy Shield’ emerge from the ashes of the Safe Harbour agreement. However, it isn’t time to set off the fireworks yet – there is a long and rocky road ahead before the new agreement becomes a reality.
Privacy Shield is a powerful name for the proposed EU – US data transfer agreement. It immediately evokes confidence in a way that Safe Harbour never did. The strength of the Privacy Shield framework goes beyond the name though – it introduces strong obligations on US companies handling personal information of EU citizens; robust enforcement mechanisms; effective protection of EU citizens’ rights, including direct redress in the event of data misuse and, importantly, it is set to introduce transparency obligations on US government agencies and limit their access to EU citizens’ data.
Not a done deal
On paper, this sounds a big step forward from Safe Harbour,with respect to privacy protection for individuals. However, at the moment Privacy Shield is really only an agreement in principle between the EU Commission and US authorities. The text of the framework has not been drafted and therefore it is unclear exactly what the above statements will mean in practice. Privacy Shield is a long way from being a done deal!
So, what next for Privacy Shield? The framework needs to be drafted and reviewed by the Article 29 Working Party (formed of representatives from the different data protection authorities across the EU), in addition to other European Institutions. It is likely that they will raise strong objections if this text appears to be a “Safe Harbour rollover”. Civil liberties groups are almost certainly going to challenge the agreement too – particularly if access by US government agencies isn’t limited enough. Only time will tell whether Privacy Shield survives this scrutiny.
Data localisation the end goal
Considering the bigger picture, Privacy Shield is just the next salvo in the battle over data localisation. Countries across the globe, including Russia and South Korea, are implementing laws to make it harder and harder to transfer data across jurisdictional borders. This seems counter-intuitive given the interconnected world we live in where most organisations are seeking global integration, not a return to silo’d operations.
What does this mean for IT organisations? Just another item to add to the ever expanding list of challenges that organisations face when processing personal information.
With Safe Harbour dead, organisations can no longer rely on this as a legitimate mechanism to transfer personal information to the US. Given the uncertainty around Privacy Shield, organisations should be taking alternative risk-based pragmatic steps to legitimise these transfers e.g. implement EU Model Clauses.
It is important that organisations think beyond the mechanism for legitimising cross border data transfers. This is just one piece of the puzzle, and with the EU General Data Protection Regulation (GDPR) on the horizon, it is a long way from being the most important piece. Organisations need to consider the full remit of the current and impending legal requirements before outsourcing:
- Have appropriate notices been embedded to inform individuals that their data will be exported?
- Is it appropriate to give access to this data to a third party?
- Have you performed comprehensive due diligence on the third party to confirm they have appropriate processes and controls in place?
- Do you have the right contract in place?
- Are you performing ongoing assurance of your third parties?
These are all questions that IT organisations should be seeking to answer with regards to international transfers to third party processors.
Regardless of what happens with Privacy Shield, organisations need to understand that Privacy requirements are becoming increasingly complex and important. This is true both when outsourcing services, or being the recipient of an outsourced service. Whether it is the requirements of Privacy Shield, the GDPR or the myriad of other privacy regulations being implemented across the globe; acting as an IT outsourced service provider is fraught with new challenges. Direct accountability, increased transparency, provision of local services and more robust privacy controls are just a handful of things that IT outsourced service providers need to be planning for.
The world is a very different place from when Safe Harbour was first agreed. We wait to see whether Privacy Shield has gone far enough to address Safe Harbour’s shortfalls to make it fit for purpose in this new world. In the interim, IT organisations should be strengthening their privacy safeguards and seeking alternative mechanisms to legitimise data transfers to the US.
Mark Thompson, Privacy Practice Leader and Ewan Donald, Privacy Advisory at KPMG
Image Credit: Shutterstock/Photobank gallery