As news breaks about the United States and European Union agreeing, in principle, to a new data-sharing pact, questions arise as to whether this is an improvement to outgoing policy, particularly the Safe Harbor Rules.
I recently connected with SearchSecurity’s Michael Heller to explain that we should all expect more transparent statements on general data usage, sharing, reporting and protection controls.
Too Soon to Examine Ruling Improvements
Is this new approach better than what’s in place today? It’s too soon to tell. Nothing has been finalized and no drafts are currently available. There have been ongoing discussions regarding Safe Harbor 2.0 since the European Commission (EC) published its 13 recommendations for improving the original Safe Harbor requirements in November 2013.
These conversations have gained momentum since the Court of Justice of the European Communities (EJC) rejected the strategy on Oct. 6. In a speech before the EC on Oct. 26, EU Commissioner Věra Jourová stated that intensive technical meetings will continue with the U.S. to try to complete a new Safe Harbor framework by the end of January 2016.
Both the U.S. Department of Commerce and the Federal Trade Commission have agreed to provide more robust oversight and cooperation with European data protection authorities (DPAs).
I expect that the new framework will contain more robust and prescriptive requirements for U.S. companies to follow together, with more commitment on the part of the U.S. to oversee the program, including enforcement activities.
The key element still to be worked out will focus on U.S. law enforcement access to data, which must be subject to clear conditions and limitations. I don’t see the U.S. with much room to negotiate on this point. I believe we will see some additional access requirements to EU personal data held by U.S. companies.
Why Did EU Push for Changes?
As we touched on, the EU has clear motives for demanding reform. There have been ongoing discussions on improving the data-sharing agreement for a number of years. In addition, the efforts of the EC on a new General Data Protection Regulation (GDPR) for the EU have been ongoing and is nearing completion.
This change is nothing new, but rather an evolutionary step by the EU to streamline and harmonize the data protection laws across EU member states. This activity was accelerated by the recent ECJ ruling in the Schrems case (Maximillian Schrems v Data Protection Commissioner) that immediately invalidated the existing Safe Harbor agreement.
U.S. Enterprises will be Affected
As I discussed with Heller, I expect there to be more prescriptive requirements for U.S. businesses to implement to meet EU data privacy requirements. These will likely include more clear statements on the usage and sharing of data, as well as protection mechanisms and more robust reporting and attestation requirements.
Businesses will be more likely to be required to demonstrate how they are meeting these requirements — and in a more robust manner than simply answering a handful of boilerplate questions.
U.S. businesses need to understand the impact of the new GDPR on their practices and be prepared to have a fairly short time period to implement them.