Update – August 2, 2016: The framework for Privacy Shield is now available online, and companies may sign up to participate.
Original Post: The Privacy Shield, a data transfer agreement between the United States and the European Union, went into effect today as the European Commission formally adopted it. The previous agreement in place, Safe Harbor, was invalidated over 8 months ago due to concerns the EU had about US surveillance.
As outlined by The Verge, the Privacy Shield agreement “places safeguards on how US authorities can access the data of European consumers, and creates a framework for resolving cases where Europeans feel that their personal data has been misused.” The agreement applies to data that travels across borders, as tech companies (and others) conduct trans-Atlantic business. TechCrunch describes the legislation as a “balancing act,” in that it attempts to bridge the gap between the distinct data handling polices of the US and EU. In general, EU policies are more strict, and leave less room for surveillance. Four EU members – Austria Slovenia Bulgaria and Croatia – did not vote on the Privacy Shield due to continual concerns about US surveillance.
Here’s How It Works
US companies must self-certify that they meet data standards, and then the United States Department of Commerce conducts reviews for compliance. Regulations include limitations on bulk data collection and oversight in regards to accessing EU data, but if the EU feels privacy has been violated they have an option to file complaints. US companies have until August 1st to “certify their compliance.”
Many tech companies are in favor of the Privacy Shield, as it offers data protection but also allows for business and trade to function effectively across continents. Some privacy advocacy groups question if it will have an impact, however. And many (particularly those in Europe) still have concerns about the surveillance that could be enabled under this law. Max Schrems, who challenged Safe Harbor, is also against Privacy Shield, and called it “little more than a little upgrade.” “It is very likely to fail again, as soon as it reaches the CJEU. This deal is bad for users, which will not enjoy proper privacy protections and bad for businesses, which have to deal with a legally unstable solution,” he said. It’s still unclear how many companies will sign onto this agreement, but we will be sure to provide updates as adoption continues. You can also learn more in the official FAQ document.