What is the EU- US Privacy ShieldCertification scheme, currently operational with the US, which places requirements on companies to protect personal data and provide appropriate redress for individuals.? It’s a framework for transatlantic exchanges of personal dataInformation which relates to an identified or identifiable natural person. between the European Union and the US.
Why do organisations need it? One of its key purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws designed to protect EU citizens.
There has been much talk about the EU-US Privacy Shield agreement over recent weeks, specifically the dramatic statement made by The European Parliament’s Civil Liberties (‘LIBE’) Committee which has called on the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. to suspend the arrangement due to its alleged failure to provide enough data protection for EU citizens. This was followed quickly by the Council of Bars and Law Societies of Europe (CCBE) that repeated its suitability concerns and called for an immediate suspension.
Many believe that these latest developments could spell the end for Privacy Shield, a scheme that has always had its critics. After all, the scheme is built on self-certification, with external vetting only taking place if it is requested by the company themselves. If GDPR-level compliance cannot be demonstrated by 1 September 2018, suspension of Privacy Shield could well follow.
How might this impact EU Data Controllers and Processors?
1. Less choice and flexibility
If Privacy Shield is suspended, there will be a lot less choice for EU Data Controllers and Processors about who they can (easily) share data with. If EU organisations can no longer transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another. personal data on EU residents to organisations based within the world’s largest economy (aside from where specific individual arrangements have been made), then a significant void will be created in the market.
Data transfers will still be possible, but just far more complex, as organisations will be required to conduct individual assessments of adequacyA status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law. and confirm the presence of ‘appropriate safeguards’, and will require more strictly worded data sharing agreements that include Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. (BCRs) or EU model contract clauses (SCCs).
2. Increased costs
Even if any suspension were only temporary, with the US all but excluded from processing EU data, it means there will be significantly less choice and inevitably prices will rise as demand outstrips supply elsewhere. Those that have no choice but to continue with data transfers will have to carry out more stringent checks and put in place specific agreements, much as they must do now when transferring personal data to other countries not deemed ‘adequate’ by the EU.
3. Contractual uncertainty
For EU Data Controllers and Processors who currently have data sharing agreements in place with companies who demonstrate Privacy Shield compliance, it may mean that those agreements are no longer fit for purpose. Naturally, it may also call into question the adequacy of security arrangements within these agreements.
4. An increase in Subject Access Requests (SARs)
With the security around Privacy Shield called into question, it is entirely likely that Data Subjects will be more concerned than ever before about how their data is being treated. Therefore, Data Controllers can expect to receive an increase in the number of objections, requests for erasure and SARs etc from those seeking clarification and reassurance that their personal details are being processed securely and appropriately. Also, be prepared for more enquiries and complaints to be made to regulators too.
5. More scams
Almost as inevitable as death and taxes is the fraudster on the prowl, looking to exploit any new opportunity presented to them. This could become one such golden opportunity. So, data subjects will need to watch out for correspondence out-of-the-blue suggesting that their data has been compromised due to the uncertainty with Privacy Shield. And be equally wary of those companies offering you their services as GDPR-compliant without first checking out their credentials.
On the positive side, if a suspension leads to an improvement in the protections that then leads to safer transfers, then it can only be a good thing.
How can you protect your business? Whatever the outcome, the DPO Centre can help to guide you by providing experienced outsourced Data Protection Officers who assist you to navigate the ever changing legislative landscape, as well as EU Representative services to US and non-EU based organisations that need to comply with Article 27 of the GDPR. For further information, please contact us.
For further information, head to: https://ico.org.uk/for-