Greetings from the French Alps!
The new Privacy Shield continues to be a headline grabber and this week at CeBIT, one of Europe’s largest trade shows in the IT field, was no exception. The European Commission Digital Commissioner Günther Oettinger, who was present at the trade fair, said this week that the Privacy Shield data transfer agreement could go into effect as early as June.
In the next few weeks it will be evaluated by the member states’ data protection authorities who will meet on 12-13 April, and thereafter issue its opinion. And while that opinion will not be binding it will play a very important role in respect of its enforcement. In short, the opinion will be incredibly relevant. One of the biggest areas of ambiguity with the Privacy Shield lies with the potential enforcement of regulations or fines across the 28 member states of the EU.
If your organization does business internationally, it should take steps to ensure it can continue to transfer data from the EU and do so in a way that is in compliance with regulation and best practices. That begins with a thorough review and mapping of current processes, including the legal agreements, tools and policies used to effect such operations. Companies should be conducting assessments with all the relevant business stakeholders through its business supply chains both internal and external to articulate a narrative of data flows from collection to disposal; more critically where data is transferred to a third party or internationally transferred. Ensuring the integrity of data flows globally through the privacy looking glass will be an increasingly strategic consideration going forward.
Barring a small handful of U.S. multinational companies with ample resources and the data center infrastructure for keeping information on EU citizens within the Union, the vast majority of businesses that do overseas business, whether large or small, are probably not as well equipped. The ongoing attention paid to Privacy Shield underlines the fundamental and core value of data in today’s economy. Whether that data is personal information or intellectual property, the information that organizations collect, create, share and store is vital to their success and should be handled as a priority and protected with care.
The Privacy Shield also brings a number of key elements to the global privacy table. In a recent article by Eduardo Ustaran, one element that stood out for me was the introduction of the European way of thinking about privacy to leading multinationals. In a sense, the Shield is a global extension of European privacy rights and standards. It could be argued that the impact of Shield as the successor to Safe Harbor will not be restricted to the U.S., given that in practice, many multinationals will likely elect to implement the framework on a global scale. A natural consequence, probably one that the European institutions are banking on, could well be the influence on companies at large and how they take decisions, plan and operate within global supply chains. The Privacy Shield framework also reflects an intricate system of oversight, enforcement and redress, which involves a number of overlapping institutions with different levels of competence across borders; clearly much effort has been devoted to creating a credible system of checks and balances to attain high standards of data flow integrity.
Shield is complex and requires careful consideration. Privacy professionals would be wise to understand it sooner than later.
If you want to comment on this post, you need to login.