5 Must-Know Facts About the EU-US Privacy Shield and How it Affects Your Secure File Sharing
by Shirish Phatak on May 9, 2016
As the cloud, mobile, and other technologies make it easier to share data across The Pond, European lawmakers are trying to make sure that the private data belonging to its citizens is treated with the same secure file sharing care and safety in the United States that it is subjected to within the European Union. Until recently, the Safe Harbor Agreement attempted to address these concerns, but a Court of Justice of the European Union judge tossed the Safe Harbor Agreement last year, ruling that it was wholly inadequate to protect the privacy of European citizens.
In its place, European and American parties are working on Privacy Shield. This agreement is not yet in force, and is not completely fleshed out in terms of the details, but is fully expected to become enforceable in the near future. Here are the most important things you need to know about the Privacy Shield agreement between the EU and the US.
1. Businesses Must Sign Up to Participate
Privacy Shield is another Trans-Atlantic agreement between the US and EU that seeks to strengthen business interests, while protecting the rights of their private citizens.
You can opt out of signing up, but if you do, you will not be allowed to store, process, transmit, etc. personal data on European citizens inside the US. If you do sign up, you will be subject to all of the rules and regulations established in the agreement. the US Federal Trade Commission (FTC) is responsible for enforcing the law on the US side. Participating businesses will be obligated to publish and to follow specific privacy policies. Companies that fail to keep up their end of the bargain can be excluded from participating, which means they won't be allowed to store or process private data about European citizens on American soil. The US Department of Commerce will publish a list that makes it public which companies are signed up to participate, as well as which have been excluded from participation.
2. Privacy Shield Does Not Supersede National Security
When it is deemed that US national security conflicts with Privacy Shield, security trumps the agreement. This includes any investigations being conducted by law enforcement agents in the US. According to the agreement, "Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations."
3. Mass Surveillance by US Law Enforcement is Still Allowed Under Privacy Shield
One of the most pressing reasons for tossing out the old agreement, Safe Harbor, was the issue of US mass surveillance. However, it will still be allowed under the new agreement, Privacy Shield. There are six different scenarios in which the US allows federal and law enforcement agencies to conduct mass surveillance: 1. detection and counter attacks involving foreign powers 2. Counterterrorism 3. Counter-proliferation 4. Cybersecurity 5. Detection and countering of any threats to US or allied armed forces and 6. Combating criminal threats across national borders (which includes attempts to avoid sanctions).
4. Privacy Shield Gives Businesses 45 Days to Respond to Complaints by European Citizens
If a citizen of the EU complains about the handling of their personal information, the business in question will be given 45 days to respond to the complaint. If they fail to reply to the satisfaction of the citizen, the citizen will have access to a number of predetermined courses of action. One recourse option will be a free dispute resolution service about the alleged lack of secure file sharing.
5. Privacy Shield is Not Yet in Force
Privacy Shield is designed to make it more secure for Europeans to do business overseas, while assuring them that their privacy will be treated with the same care and consideration it would be in their home country.
Though the European Commission made an announcement about Privacy Shield back on February 2 of this year, it was almost a month later before the US promises arrived. Those were made public on February 29. The decision is still pending challenges by various governments, as well as the information protection authorities of the nations affected. Even after being put in force, the agreement will be reviewed annually by all parties.
This agreement will mean that all US businesses that want to store, process, or transfer data on European customers or other private citizens will need to prove that they have secure data stores and secure file sharing practices in place. Are yours up to the standards of Privacy Shield? What will it take? See our customer success stories here.