2016-04-26

A few weeks ago, we reviewed the European Commission and the United States’ agreement on a new framework for transatlantic data flows, the EU-U.S. Privacy Shield, along with the EU General Data Protection Regulation (GDPR), which would regulate the progression of personal data within the European Union.

This week, we have an update on both proposals.

The Privacy Shield was neither approved nor rejected
As a reminder, the aim of the Privacy Shield is to provide a set of robust and enforceable protections for the personal data of EU individuals. If passed, the framework would have a major impact on how U.S. companies collect, manage, and use digital data transferred from Europe.

On April 13, the Article 29 Working Party, who was reviewing the Privacy Shield proposal, expressed significant concerns, claiming:

A massive and indiscriminate data collection is not fully excluded by US authorities

A number of important data protection principles have not been expressly incorporated within the proposal

There is no mechanism for updating the EU-US Privacy Shield once the General Data Protection Regulation comes into force, which is now likely to be mid-2018

The group has not, however, rejected the proposal entirely and even called it a “great step forward.” They requested instead to clarify and resolve the outstanding concerns about protecting personal data adequately. The Article 29 Working Party’s decision is advisory in nature and the European Commission will still wait to hear from the Article 31 Committee before rendering its final decision.

The EU General Data Protection Regulation (GDPR) is approved
To make things more interesting, just a day later on April 14, the European Parliament provided final approval for the new GDPR , after four years of work between the member states.

The GDPR will be published in the EU Official Journal (expected sometime in June) and will be officially considered enforceable 20 days following the publication. There will be a two-year implementation period following the in force date, which will require that organizations be fully compliant sometime in mid-2018.

The approval of the GDPR is a significant development in the shaping of the law of privacy and data protection in the European Union as a cohesive, homogeneous whole, where one single law becomes the primary vehicle to govern the activities of very diverse countries in a particular domain.

What’s the reaction in the corporate world?
Some companies are disappointed about the news that the Privacy Shield did not pass, but many are not. The concerns raised over the “massive and indiscriminate” bulk collection by U.S. authorities of EU personal data are legitimate. While the U.S has been working towards correcting it by passing the Judicial Redress Act in February—which gives select U.S. allies the same protections under the Privacy Act offered to U.S. citizens—the updates to the privacy model are still too new for Europeans to do an about-face in trusting it.

And so, the uncertainty continues for a while longer. What is clear is that businesses should not continue to rely on the still existing Safe Harbour program exclusively for international transfers.

Companies should continue to work towards obtaining consent from the user base where appropriate or, in the case of data transfers, with data partners started using EU Model Clauses and Binding Corporate Rules (BCRs) with or without a Privacy Shield agreement in place.

Data privacy is a core priority here at Return Path and as Chief Privacy Officer, I can assure you that we’ll be watching the Privacy Shield news closely as it unfolds. Subscribe to our blog to stay up to date on key updates and suggested actions.

Show more