The new agreement governing data transfers between Europe and the United States gave companies more legal cover than they expected but did less than privacy advocates demanded.
Negotiators even tried to make the pact Trump-proof, building in ways to insulate the deal from political changes on both sides of the Atlantic. The text released Monday now goes before the data protection authorities (DPAs) for the European Union, which will meet in April to forge a position, and to the European Council.
With the text now public, here are the five things you need to know:
1. All EU-U.S. data transfers will be affected
After the European Court of Justice struck down the safe harbor data transfer accord in October, many companies scrambled to put in place alternatives: model clauses and binding corporate rules. Model clauses are templates for contractual terms the Commission wrote to deal with overseas data processors. Binding corporate rules outline a company’s internal data transfer procedures.
The EU’s data protection authorities announced February 3 they would decide whether binding corporate rules and model clauses were valid, because the protections afforded by the privacy shield originally did not extend to these other mechanisms.
But according to the Commission, the privacy shield data will cover these alternatives.
The privacy shield will not only cover data of EU citizens but also residents, according to two high-level Commission sources.
2. All roads lead to Luxembourg
The ink is barely dry and yet everyone seems to agree the ultimate test of privacy shield will be in the European Court of Justice, in Luxembourg. And soon.
“We are already looking at different options,” said Max Schrems, the Austrian privacy advocate whose complaint about the safe harbor mechanism led to its annihilation by the ECJ. “There seem to be countless options to bring it down again. I am therefore not sure if it will take me to do it.”
Consumer groups agree.
“Five months have passed since the Schrems ruling, it is time that data protection authorities stop looking the other way,” said David Martin, senior legal officer at the European consumer organization BEUC.
3. How the Commission tried to make privacy shield Trump-proof
What if Donald Trump is elected the next president of the United States?
Given that much of the privacy shield relies on promises made by the top level of the Obama administration, the Commission and DPAs were concerned a change of president might also mean a change in privacy protections.
There are two ways the Commission has tried to Trump-proof the text.
The first is the annual review, to be conducted by the Commission and its U.S. counterparts. If the Commission is unsatisfied with results, it can unilaterally suspend the pact.
While that’s good news for privacy advocates, industry associations raised concerns that an annual review will create uncertainty.
The second anti-Trump measure: The Commission has insisted the U.S. publish all of the privacy shield documents in the U.S. Federal Register, the official government journal. That makes it more difficult for a new president to ignore.
4. What happens next
The Commission has now submitted the privacy shield to data protection authorities. All 29 authorities (28 national representatives and the European Data Protection Supervisor) will meet in Brussels in April to come up with a common position on the privacy shield, which will be persuasive but not legally binding. In between, they will hold smaller meetings in March.
Meanwhile, the Commission will need to get the European Council, which has the power to kibosh the privacy shield, on board. It won’t use that power. In fact, the Council’s biggest concern is how quickly the new arrangement can be up and running — a German representative at Monday’s Competitiveness meeting said the transition period before the new arrangement comes into effect must be minimized, according to an EU source in the room.
Expect to see privacy shield in action by late spring to early summer.
5. What companies will need to do
Once the framework is in place, Commission sources tell POLITICO it shouldn’t take more than a month for companies to get certified.
Companies will be able to self-certify annually that they meet the requirements, including signing up to a new “last resort” dispute resolution tool.
The U.S. Department of Commerce will be in charge of monitoring and verifying that companies’ privacy policies are in line.
Complaints can be made directly to the company transferring the data, which must respond within 45 days. Alternatively, Europeans can go to their national DPA, which will refer the complaints to the U.S. Department of Commerce or the Federal Trade Commission.
Click Here: Cardiff Blues Store