As Shakespeare wrote, the course of true love never did run smooth. This has certainly rung true for the recent shake-up of data protection laws.
The need for a policy change arose last October when the European Court of Justice invalidated the U.S.–EU Safe Harbor program. That program had previously permitted relatively free transfer of data from European countries to the U.S. despite the different data privacy standards within the two regions.
Since then the course has been anything but smooth with negotiations for a replacement program resembling more of a tempest than a midsummer night’s dream; bridges were burned and April showers rained on the proposed replacement’s parade. Then last month from Brussels came the announcement that the European Commission has approved the new EU-U.S. Privacy Shield, which will come into immediate effect. But if the course to this new arrangement wasn’t smooth, is the end result something either region can truly love?
The new “Shield” contains strengthened protections for EU data subjects. Companies (upon updating their current measures) are required to self-certify compliance with the U.S. Department of Commerce beginning August 1, 2016. Thereafter, the Commerce Department is charged with conducting regular checks on participating companies. Those not in compliance may be removed from the list and face sanctions, limiting their access to EU data. The U.S. administration has made concessions, too; law enforcement’s access to information will be limited, and EU data cannot be subject to indiscriminate mass surveillance. Finally, if data subjects’ complaints cannot be resolved domestically, the framework envisages joint investigations between the EU member state’s data protection authority and the Federal Trade Commission.
U.S. companies may not be overly enamored with the stronger obligations imposed on them in this particular play’s latest act, and there are concerns the European Court of Justice may give the whole performance poor reviews. But at least companies now have clearer guidance to follow, and it is too early to assess the plan’s effectiveness. In these midsummer nights, perhaps we’ll sleep on that thorny question. But even if true love hasn’t been the ultimate product, let’s hope that the course of data transfer, at least, will now be smooth.
_____
TRACE International and TRACE Incorporated are two distinct entities with a common mission to advance commercial transparency worldwide by supporting the compliance efforts of multinational companies and their third-party intermediaries. TRACE International is a nonprofit business association that pools resources to provide members with anti-bribery compliance support while TRACE Incorporated offers both members and non-members customizable risk-based due diligence, anti-bribery training and advisory services. Working alongside one another, TRACE International and TRACE Incorporated offer an end-to-end, cost-effective and innovative solution for anti-bribery and third-party compliance. For more information, visit www.TRACEinternational.org.