There was an almost audible sigh of relief upon the agreement of the new EU-US Privacy Shield framework. Reading the average press report one might mistakenly think that personally identifiable information can now flow between the EU and the US without further ado. The tap does not just turn on automatically, however. Most US businesses still will need to implement their own arrangements to ensure European personal information can be used in their US operations.
Why? First, Privacy Shield is a voluntary arrangement with some heavy-duty obligations. Second, it is not a mechanism for avoiding EU data regulations — quite the contrary. Privacy Shield requires US applicants to implement and continuously adhere to EU regulations. Applicants must register with and certify compliance to the US government, annually. Once registered, the Department of Commerce and Federal Trade Commission can monitor, investigate, and bring enforcement actions against the registrant.
It is interesting to note that in 15 years of operation, only about 4,000 US companies have signed-up to the now-defunct Safe Harbor regime.
Safe Harbor worked essentially in the same way as the new Privacy Shield – internal implementation of EU regulations followed by registration with the US Government for public enforcement. The majority of US businesses decided not to sign-up for the government oversight, opting instead to work out the legal logistics by direct contractual arrangements with their European counterparts.
I predict the contractual option will remain the preferred route for most US business.
The Privacy Shield will be most helpful for those multinationals who process personal data routinely in connection with their central business model. For example, eBay, Amazon, Google, and telecommunications and cloud storage providers are likely to sign up to the Privacy Shield regime because there is a business case for doing so.
Whether the average US business opts for the Privacy Shield or ad hoc contractual arrangements, compliance with the EU data privacy regulations has recently become harder with the passage of the General Data Protection Regulation, known as GDPR. I just spent a week attending a summit about the implementation of GDPR. My next two alerts will highlight the practical ramifications and changing compliance obligations for American businesses under the GDPR.