8 Ways To Secure Data During US-EU Privacy Fight
After months of legal uncertainty over transatlantic data flows, the European Commission and the US have agreed on a new framework called the EU-US Privacy Shield. But because no text is available yet, there's no way to interpret it. Here's what organizations need to know now.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blte8bb45276a191c14/64cb401848082cec1e7635f0/privacy-policy-445156_1280.jpg?width=700&auto=webp&quality=80&disable=upscale)
The EU-US Safe Harbor that governed the flow of data between the US and European Commission countries is dead, and there's no formal framework text to replace it yet. The result is a lot of legal uncertainty for many organizations when it comes to transatlantic transfers of data. It may be weeks or months before the dust settles. What do enterprises need to know now?
First, some background. On October 6, 2015, the European Court of Justice invalidated the EU-US Safe Harbor framework in the Maximilian Schrems v Data Protection Commissioner case. A couple of weeks later, the Article 29 Working Party issued a statement about the practical effects of the ruling. The group urged businesses to proceed very carefully. Then on February 2, 2016, the European Commission (EU) announced it and the US had agreed on a new framework for transatlantic data flows called the EU-US Privacy Shield, but because no text is yet available, the framework cannot be interpreted.
"We haven't seen the solution. We only heard very high-level principles by the European Commission and some data that was added by the Department of Commerce, but we need to see the actual documentation to understand exactly what this entails," said Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), in an interview.
It's clear that unfettered surveillance by the US is considered inconsistent with fundamental individual privacy rights of Europeans, and that opinions about where lines should be drawn differ from country to country, despite unified efforts to define what are and are not lawful transatlantic data transfers. In the interim, alternative mechanisms are available, including Standard Contractual Clauses and Binding Corporate Rules, but they are far from perfect.
"We're getting inquiries from European and US companies asking what they can do. The Article 29 Working Party said that the model clauses or the binding corporate rules are still legal, but they haven't said they're definitely going to be legal forever going forward, which puts people like me on edge," said Kenneth Mullen, a partner at law firm Withers Bergman, in an interview. "At the moment, companies are putting these alternative methods in place."
In addition, the Article 29 Working Party has strongly suggested businesses consider putting legal and technical solutions in place to further minimize risk, which some companies are doing. Others are taking a wait-and-see approach, since no one knows what the Privacy Shield will actually require until the text is available.
Here are a few things you should be aware of.
Data transfers complying with Safe Harbor framework are now unlawful. While it may be true that there isn't a lot of policing happening, especially of SMEs, some countries are paying closer attention than others.
"Liability depends on where companies have offices and assets, [and] how much data they're transferring. If you're transferring data from Germany you may be at more risk than transferring data from the UK," said Chiara Portner, an IAPP-certified partner at Paradigm Counsel, in an interview. "I don't see authorities going after very small companies that might not be transferring lots of data. They're probably looking at Facebook or Google to make them a poster child."
Different countries are imposing different fines. Rather than proceeding blindly, some organizations are weighing the risks of liability against the benefits of data transfers that may be considered illegal. Others are adopting Standard Contractual Clauses.
Standard Contractual Clauses are one of the interim alternatives companies can use to protect themselves. Four model clauses are available for use that define the obligations of data importers and exporters. Two of them are designed for "controllers," and two are designed for "processors," although there is confusion about those designations. The model clauses must be adopted verbatim with few exceptions. However, the language of the clauses is extremely vague, which leaves a lot of room for interpretation.
"Sometimes it's difficult to work out what certain things mean, and sometimes you just have to accept that if you're going to adopt these legally you need to adopt them 100%, without knowing what you're signing up to," said Withers Bergman Partner Kenneth Mullen.
Companies adopting the Standard Contractual Clauses can also use ad hoc clauses to demonstrate that data transfers are sufficiently secure. However, the clauses have to be approved on a case-by-case basis by national authorities.
"The problem with making your own arrangements is there's no longer that stamp of approval or guarantee that it's going to be compliant anymore," said Withers Bergman Partner Kenneth Mullen. "The problem US organizations face, especially if they're transferring data from a number of EU states is that each approach to data transfer is different from country to country, with some being stricter than others."
Binding Corporate Rules (BCRs) are designed for multinational companies that are transferring data within the corporate group. Their purpose is to allow data to flow among the various corporate entities, but the rules must be approved by the Data Protection Authorities (DPAs) in each member state in which the company intends to transfer data. Although all of that is coordinated by a "lead authority," it can nevertheless require considerable time and expense.
"BCRs are very expensive. The companies that have signed up are large institutions -- investment banks or multinational organizations that have time to do something," said Withers Bergman partner Kenneth Mullen. "They can take months or a year or more to put in place, depending on the number of countries."
More than 4,000 companies self-certified for the Safe Harbor framework, but there is little to no hope that those companies will automatically be protected by the Privacy Shield, since the Safe Harbor is now invalid.
The Department of Commerce (DOC) and the Federal Trade Commission are responsible for monitoring and enforcing compliance. In addition, a new Omsbudsman role has been created that, like the DOC's involvement, is new.
"Using the DOC as a law enforcement agency is novel because the DOC doesn't do that," said Omer Tene, VP of research and education at the IAPP. "The ombudsman at the State Department is also a novel thing, because it doesn't exist under US law. Would this person have access to classified material? Would she or he have clearance? Would she or he see the top-secret programs? A lot remains to be seen, and the devil is always in the details for these things."
Many companies are seeking legal advice to reduce their potential risks of exposure. However, their lawyers don't have all the answers. In fact, some attorneys are making it very clear to their clients that their efforts are best efforts and not a guarantee against any and all risks.
"Businesses are definitely in a bind because what they've been using for the past year is definitely invalid[. ...] [T]here's not an alternative arrangement in place. Any interim measure is shaking, and no one knows whether it's going to be valid in a few months, so why would you spend thousands or tens of thousands of dollars putting these things in place?" said Omer Tene, VP of research and education at the IAPP.
Apparently, the answer boils down to a risk/benefit analysis.
Many companies are seeking legal advice to reduce their potential risks of exposure. However, their lawyers don't have all the answers. In fact, some attorneys are making it very clear to their clients that their efforts are best efforts and not a guarantee against any and all risks.
"Businesses are definitely in a bind because what they've been using for the past year is definitely invalid[. ...] [T]here's not an alternative arrangement in place. Any interim measure is shaking, and no one knows whether it's going to be valid in a few months, so why would you spend thousands or tens of thousands of dollars putting these things in place?" said Omer Tene, VP of research and education at the IAPP.
Apparently, the answer boils down to a risk/benefit analysis.
-
About the Author(s)
You May Also Like