After 20 years of relative calm regarding the handling of personal data of EU citizens by U.S. companies, events over the past six months have instigated widespread reform. While the resolution is yet to be confirmed, the building blocks for a modern, cross-border data privacy agreement have begun to take shape.
In 1995, the European Commission issued the EU Data Protection Directive, which at the time revolutionized the concept of personal information data protection. While components of the directive have demonstrated strong foresight, the need to update several of the directive's provisions has grown glaringly apparent.
Perhaps the greatest deficiency of the directive is that it is only advisory legislation and does not require adoption by all EU member states. As a result, the application of privacy rules varies widely from one EU country to the next.
The possibility of having 28 separate versions of privacy law within the EU chilled the prospect of many U.S. companies conducting commercial transactions with EU citizens. This motivated the "Safe Harbor" provision, which permitted U.S. companies to, in effect, conduct "one-stop shopping" in guaranteeing the safe handling of personal information of EU citizens. This review process was done through self-certification.
This lack of oversight became widely exposed when Max Schrems won his case on Oct. 6, 2015 in the Court of Justice, which held that no EU provision had the outright authority to divest a member state's Data Protection Commissioner of the ability to investigate a citizen's complaint. The court took the matter one step further by ruling that the Safe Harbor agreement be permanently invalidated.
The Schrems ruling elicited great concern for those U.S. companies. The directive does provide alternative means of complying with protecting data, but none of them are universally practical for all businesses.
On Feb. 2, 2016, a few days past the deadline set by the Article 29 Working Party, it was announced that the U.S. Department of Commerce and the EU Commission had reached agreement to a version of "Safe Harbor 2.0" called the EU-U.S. Privacy Shield. On Feb. 29, 2016, the initial draft of the proposed Privacy Shield was publicly released.
It might be premature to dissect the minutia of the proposal, as it still must undergo several levels of review before it actually goes into effect. Nevertheless, the current draft provides insight into what the Department of Commerce and the EU Commission have already determined to be an acceptable compromise.
Many elements of the Privacy Shield were included to counter deficiencies the EU Court of Justice mentioned in Schrems. For example, the Shield requires each U.S. company possessing data of an EU citizen to establish an internal and readily-available method to receive and process complaints free of charge to EU citizens. There is also a precise timeline for complaint response. To counter one of the greatest concerns raised in Schrems, U.S. law enforcement seeking access to such data must give EU citizens a method of legal redress, as is presently underway with amendments to the Judiciary Redress Act proposed by the Obama Administration on Feb. 24, 2016, and forwarded to Congress.
Sign up for CIO Asia eNewsletters.