Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The EU-US Privacy Shield agreement explained - preparing for uncertainty

John E Dunn | Feb. 8, 2016
The EU and the US are edging towards Safe Harbour 2.0. But is trust gone forever?

What consultants think

"A lot of global businesses will be breathing a sigh of relief today as a significant number of them didn't take action to address the risk of Safe Harbour disappearing.  The agreement is good news for companies as a number were clearly going to struggle from a financial and operational point of view with the uncertainty surrounding the movement of personal data." (Mark Thompson, privacy practice leader, KPMG)

What critics think

The EU-US Privacy Shield is little more than a series of general statements for now, vague on specifics and depending on political buy-in by the US. Those assurances could change with a new US administration. The detail inside the final document will be telling when that is published before the summer. Legal challenges seem inevitable which bodes ill for anyone who wants this to blow over quickly.

The EU-US Privacy Shield agreement explained - what will happen next?

When the detail is published the new agreement will be challenged by privacy groups. This will create some uncertainty. The era of easy data transfers with the US is probably over.

And the EU's General Data Protection Regulation (GDPR)?

The EU-US Privacy Shield will have to comply with and be consistent with it adding yet another layer of complication and uncertainty.

Other complications

Adding to the confusion, the US Department of Justice (DOJ) and Microsoft are in the midst of a legal case in which the US authorities want to access to data held on an Irish server regarding a criminal suspect. Microsoft believes that a US search warrant is not valid and the access should be requested via the Irish Government using the Mutual Legal Assistance Treaty (MLAT). If Microsoft is forced to hand over the data by a US court ruling, the EU-US Privacy Shield could look pretty careworn before it's got going.

What are the alternatives?

In the short term, there are only two possible options. First, processors could use EU datacentres to hold data onshore until such time as a more stable agreement emerges. The alternative is to resort to 'model contract clauses', approved procedures between data exporters (in the EU) and importers (in the US), complex and possibly expensive frameworks that make explicit safeguards should they be challenged before the EU-US Privacy Shield becomes stable.

Uncertainty - and fear - sells

Unfortunately, as with the GDPR, some vendors already sense the possibility of doing some good business. Expect a lot of self-interested pitches to be made for encryption, access control, and almost anything that stops shadow IT. European data and cloud processors will also see the likely requirement to use local facilities as a good sales day.

Source: Computerworld UK 


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.