Flags in front of the European Commission headquarters in Brussels on June 17, 2015 Credit: Loek Essers
U.S. businesses may take some comfort from the fact that a successor to the Safe Harbor agreement has finally been named, but at this point, they shouldn't get too comfortable.
Since it was first announced on Tuesday, the EU-U.S. Privacy Shield agreement governing trans-Atlantic data transfers has elicited considerable concern, not least because it remains largely unwritten and unclear. Privacy watchdogs in Europe have cautioned that it can't be relied upon for legal protection for several months; some say it won't be enough even then.
The old Safe Harbor agreement that provided cover to companies transferring data was declared invalid by an EU court last year.
So what's a business to do?
Julie Brill, commissioner of the U.S. Federal Trade Commission, offered some insight Thursday in a webcast discussion hosted by the Information Technology and Innovation Foundation (ITIF).
First, realize that it's going to take some time for Privacy Shield to be usable, Brill warned.
"The immediate next step is to write up the details so that everyone can see it," Brill said.
That's going to take longer this time than it did back in 2000, when the original Safe Harbor agreement was approved, however. The European Parliament is playing an advisory role this time, with the ability to review the agreement and vote on it, she noted. EU Member States will also have to approve it.
April is the soonest Europe's data-protection authorities are likely to be able to finish their legal analysis, according to the Article 29 Working Party, the EU body representing those DPAs.
In the meantime, businesses hoping the original Safe Harbor agreement will protect them in the interim will continue to be held accountable by the FTC, Brill said.
"If companies are continuing to make promises that they're abiding by Safe Harbor, we will enforce that," she said.
Assuming Privacy Shield is ultimately approved by European authorities, companies will have to examine the tougher requirements it involves carefully to make sure they can abide by them once they agree to support it.
"I want companies to be sure that when they self-certify, they know what they're getting into," Brill said.
For example, what's known as "onward transfer," when data is exported from Europe to the United States and then again to a third party, will gain heightened attention under the new rules, Brill said.
"Onward transfer will be more strongly protected," she said. "There will have to be more assurances that the entity receiving the data will protect it as well."
Sign up for CIO Asia eNewsletters.