Article by DataGRC Ltd. 1st September 2018.
Once again, there's wide-spread confusion around data protection laws.
Not that we see a consistent understanding of GDPR, ePrivacy, local Data Protection Acts and PECRs, yet. Even basics like Cookies are still causing confusion, not to mention debate about cookies versus biscuits and whether they should be dunked or not...
But, back to data protection, there's a new hot topic today. Just in case someone may need to transfer personal data between EU and US, how can it be done legally? We appear to have just lost a safeguard...
The UK's Information Commissioner's Office (ICO), provides some lovely guidance on using EU-US Privacy Shield, whereby EU personal data can be transferred to US companies (or at least companies processing data in the US) if they have been certified by the scheme.
Even the European Commission has a nice, easy to read webpage about it.
This sounds workable. All great so far!
Post the URL link for this article on social media for a free thumbs up!
The PrivacyShield.gov website then nicely lists all those companies that have been given the thumbs up. "3688 Total Organizations" in total doesn't sound like many, and the search facility is a bit glitchy, but Microsoft has 27 covered entities, Google has 1, MailChimp has 1, SalesForce has 5, Facebook has 1. Apple seems to be missing, but Mr Buffett is investing more in them, so they (one presumes) must be OK.
This sounds kind of workable. All good so far!
But was it too good to last?
In a moment of extreme EU democracy, on 5th July 2018, Members of the European Parliament (MEPs), voted 303 to 223 (the other 29 MEPs sat on the fence, didn't understand or didn't turn up), that the EU-US Privacy Shield must be suspended if the US fails to comply in full by 1st September 2018.
It appears that the "Facebook-Cambridge Analytica" debacle, which highlighted the law really wasn't written well enough, has upset enough MEPs to get the vote through.
The US CLOUD act 2018 won't have helped either. Ironically the CLOUD act doesn't really have anything to do with "the cloud" as we know it. It's the "Clarifying Lawful Overseas Use of Data Act", allowing US government types to access any data belonging to an American company, in any country. There's a few caveats, points for clarification, and limited transparancy. It's enough to bother us.
But, back to that date, the 1st September 2018 is today.
Today is a Saturday. Monday is a US bank holiday. So, a very happy Labor Day to all our friends across the pond. It's a day that celebrates the social and economic achievements of American workers, which wouldn't have been possible without sharing personal data...
It seems quite possible that Privacy Shield may have now been suspended, but there is a complete lack of news about what's going on...
Through all the murky noise about Brexit and Trade Deals/Sanctions, Privacy Shield has potentially just sat in the corner and died.
All a bit déjà vécu?
For those who have been around for a while, it may sound very similar to "Safe Harbor". Not the 2018 film about Australians and asylum seekers on small fishing boats. Safe Harbor was a decision by the European Commission, in 2000, which mostly looked and acted in a similar way to the Privacy Shield, but which got thrown out in 2015. Mr Snowdon certainly contributed, by highlighting how easy it is for US authorities to sniff around data and evade person's fundamental rights to privacy. Mr Max Schrems then built the coffin and put all the nails in, with his case that went to the European Court of Justice (ECJ).
After a lot of legal and political expenditure, Privacy Shield became the replacement in July 2016.
D Trump even signed an Executive Order stating "Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information." Perhaps a little at odds with the CLOUD Act.
However, it just wasn't good enough. The law was abused and shot down.
So what now?
The good news is that we've not yet hit a lawless state.
While the European Parliament wording sounds strict, it is not binding. That would need the European Commission to act, which puts pressure on the EC's annual review of Privacy Shield that is due in September.
There's also still a few other recognised safeguards to fall back on, such as Model Clauses and Binding Corporate Rules. The latter being primarily for Groups and taking up to two years for a company to gain approval from a supervisory authority, once they've got the internal documentation and controls in place. Not a quick fix. The former is also at risk of being trampled on by Mr Schrems, in his crusade against Facebook. Hopefully those 3688 companies, and the companies that share data with them, will make the leap to Model Clauses, and they will remain lawful and adequate. At least it gives us something to go on until the rules change again.
We do still wonder how well regulatory action would do against a company, when the law makers are dithering around and writing inadequate laws that repeatedly have to be pulled. That said, the company would probably have to be doing quite a few suspect things to be in that position to argue this case in the first place.
We'll leave those arguments to Max and keep our fingers crossed for companies genuinely trying to comply.
DataGRC provides data protection and security advisory services, including outsourced DPO and CISO resource, mentoring, training, assessment and remediation support.
Comments currently in review.
ADD YOUR COMMENTS
To add a comment on this article or to contact DataGRC for more information, add your details now:
Articles made publicly available on this website are general information, and should never be mistaken for formal or legal advice. If you are seeking formal advice for your specific requirements, please contact our advisory team using the form above.