The flow of personal data across borders has been a contentious issue recently—and one that will see important developments in the coming months. As European leaders prepare to implement a new approach to regulating online transfers of data to and from the U.S., there is a lot at stake for both small and large companies.
Businesses constantly move huge amounts of data around the world—and must contend with a patchwork of different regulations on digital information. For years the Safe Harbor framework allowed data to be efficiently transferred between the U.S. and Europe despite different privacy frameworks on either side of the Atlantic. So the European high court’s move to strike down the framework late last year marked a significant setback for American companies.
After lengthy negotiations, in February 2016 government leaders in the EU and U.S. agreed to a new framework known as Privacy Shield. Under the terms of the agreement, U.S. firms will have to self-certify that they abide by a series of requirements for data protection. For example, they must identify third parties to which they’re disclosing information, give consumers an opt-out mechanism if they don’t want their data given to third parties, correct any mistakes, and explain the means of redress for consumers in cases where data is mishandled.
The agreement will involve monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission. It also creates the new position of Privacy Shield ombudsman in the State Department.
TIA supports the new framework, which will allow U.S. companies to continue to transfer data to and from Europe. But though the agreement is expected to go into effect this summer, it is not yet a done deal. It must first make its way through the approval process on the European side, while the U.S. needs to finish updating procedures at the FTC and Departments of State and Commerce.
Meanwhile, despite support for the deal from the European Commission, European data privacy regulators have criticized it, saying they want more reassurance over U.S. surveillance practices and the independence of the new U.S. privacy ombudsman. Some consumer advocates in Europe argue the framework does not go far enough, and the risk of a court challenge looms.
TIA is watching this situation closely. Helpfully, in the meantime European data protection authorities have continued to allow the use of two common types of contracts for cross-border data transfers. But in the long term, a strong, legally sustainable framework will be critical to upholding the free flow of information that is an essential part of U.S.-EU commerce.