Who is Max Schrems?
A privacy rights activist that few had heard of a year ago, but it’s now harder to find someone in privacy circles who hasn’t heard of him. He is the man responsible for bringing the Safe Harbor agreement to its knees and the European Court of Justice duly delivered the killer blow. With Safe Harbor gone, organisations in both Europe and the USA face a huge challenge – how are we going to share personal information now?
The significance of the demise of Safe Harbor wasn’t lost on regulators from Europe or the USA and caused another dent in the relationship that has been shaken by ‘unlawful’ surveillance activities, amongst other things over the last few years. Providing an easy mechanism for organisations on either side of the pond to share personal information is key to opening market trade between both sides and negotiators from both parties have locked themselves away for months to come up with an alternative solution to transatlantic personal information sharing.
A new hope?
The outcome of the negotiations? Privacy Shield – not Safe Harbor 2.0, as many had expected, instead a new name and a new beginning. Even though it’s only an agreement in principle, organisations from Europe and the US will breathe a sigh of relief that some progress has been made. That relief may well be short lived as the text of the new framework is still to be drafted. It will then face scrutiny from the Article 29 Working Party (formed of representatives from the different data protection authorities across the EU), in addition to other European Institutions and civil liberty groups. Whether Privacy Shield survives this scrutiny remains to be seen.
From the limited information released about the agreement on Privacy Shield, it certainly seems that it will be far more robust than Safe Harbor. Promises have been made including: placing strong obligations on US companies handling personal information of EU citizens (to protect and appropriately manage that information), robust enforcement mechanisms, effective protection of EU citizens’ rights, including direct redress in the event of data misuse and increased transparency obligations on US government agencies and a limiting of their access to EU citizens’ data.
US based organisations seeking to become Privacy Shield ‘certified’ will face a far greater challenge than before. Organisations are asked to embed far more robust processes and controls to manage the personal information they collect of EU citizens’. Failure to do so is likely to have significant repercussions, including perhaps being stripped of the certification, named and shamed.
The Wider Context
Organisations shouldn’t be overly distracted by Privacy Shield, as there are far more significant changes on the horizon for organisations processing personal information. The General Data Protection Regulation (GDPR) is set to be passed imminently. With the potential for monstrous fines (up to 4% of global turnover), increased accountability for data processors and numerous other obligations- the GDPR really is a privacy game changer.
What should IT organisations be doing? Taking action and quickly. Where acting as the data controller and outsourcing services, companies need to give consideration to the full remit of regulatory requirements and not just focus on the legal mechanism to approve the transfer. Some of the considerations include: informing individuals that the transfer is taking place, assessing the risk of the transfer and determining whether it is within appetite, conducting due diligence on the third party being used and performing ongoing assurance, to name a few.
Where acting as a provider of IT services, there are significant challenges too. Direct accountability, increased transparency requirements, being more open to ongoing audits, providing services locally (as opposed to offshore) and embedding robust privacy controls are just a handful of things that IT outsourced service providers need to be planning for.
Privacy to the fore
Regardless of what happens with Privacy Shield, IT organisations in Europe and the USA are going to need to make significant changes to the way they process and manage EU citizens’ personal information. Putting in place an appropriate mechanism to legitimise transfers is one piece of the puzzle. However IT organisations shouldn’t wait and see what happens over the next three months and need to act now. Privacy rights activists, with Max amongst them, are all too keen to make sure they do so!