By Mackenzie Olson
The E.U.-U.S. Privacy Shield promises greater privacy protection for E.U. citizens’ personal data, but it provides no such assurances to U.S. citizens—even though consumers have become increasingly concerned about how companies use their personal information. However, as companies reconfigure their current privacy protocols to satisfy these new standards, U.S. citizens could realize a windfall.
In Europe, privacy is considered a fundamental right, though it is not in the U.S. Data protection safeguards are included in the E.U.’s charter, but there is no U.S. federal law that establishes a right to privacy. The Safe Harbor data transfer agreement of 2000 between the U.S. and E.U. previously dictated how companies could satisfy the heightened privacy requirements due their E.U. customers’ personal data. However, Safe Harbor is now defunct. In October 2015, the European Court of Justice struck down the agreement because it failed to protect E.U. citizens from U.S. government surveillance. Ever since Edward Snowden’s 2013 document leaks revealed details about the National Security Agency (N.S.A.)’s intelligence operations, Europeans have been concerned about how U.S. intelligence uses their personal data. Though the European Commission and U.S. Department of Commerce are still developing the details of the Privacy Shield and its text, officials state that an agreement should be reached by the second part of February of this year.
The new agreement will allow the free flow of data between the U.S. and E.U. and better protect E.U. citizens’ personal data. The U.S. Department of Commerce explains that the Privacy Shield will provide individual E.U. citizens with numerous protections, such as: multiple means of dispute resolution, including through cost-free arbitration; enhanced oversight of data transfers to nonparticipating third parties (onward transfers) and data processing by company agents; annual compliance review between the U.S. and E.U.; enhanced executive oversight and judicial review of intelligence collection activities; and improved transparency of intelligence operations.
The announcement of this new deal should provide some relief to U.S. companies that have been left without direction—and have likely been out of compliance with E.U. privacy standards—since the Safe Harbor was ruled invalid. But no matter what specific methods of protection the final iteration of the Privacy Shield may prescribe, there are certain measures companies can implement to protect data that should satisfy even the strictest requirements. Best practices include: automated governance processes of data management, control, and analysis; real-time access to data traffic patterns and geo-location information; and data encryption. Companies should also refrain from unnecessary data transfers.
Many privacy watchdogs are still concerned that Privacy Shield will fail, like Safe Harbor, to adequately safeguard E.U. user data. They assert that a fundamental flaw with the agreement is that U.S. law still allows N.S.A. officials to conduct mass surveillance. They suggest that the U.S. needs to change its federal privacy laws, so that the laws match those in Europe.
However, some of these concerns may prove needless; the specifics of Privacy Shield are still forthcoming. Regardless, tech companies will likely need to implement major changes in their data management and privacy polices if they want to remain operational in the E.U. If companies are forced to execute improved privacy and transparency operations in Europe, then such changes could also be enacted in the U.S. because “it would be difficult to run what would essentially be separate services for different parts of the world,” states the Washington Post.
Should sheer economics and logistics force companies to adopt greater privacy protections for U.S. customer data as well, U.S. privacy advocates should be pleased. Stronger federal laws may theoretically achieve greater privacy protections, but uniform protocols—such as those adopted in accordance with Privacy Shield—will drive real change, and more likely remain viable in the long run.
Image source: recode.net.