Never Say Never: US & EU Come to Agreement on New Framework

My mom always told me to never say never, so it’s a good thing I didn’t say it in my previous article. Although technically the deadline was January 31, there was a very remote possibility of a last minute agreement as the negotiations continued between the U.S. and the European Commission regarding the future of Safe Harbor.

It was announced today that the two groups did reach an agreement on a new framework to govern the way European data is collected, processed and transmitted by U.S.-based companies.

This next generation program is called Privacy Shield. I think we were all betting on it being called Safe Harbor 2.0? That’s probably the techie in me escaping. Privacy Shield has some significant differences over it predecessor. Key changes include:

1. U.S. companies will be held to stronger, more robust obligations to protect the personal data of Europeans.
2. The Federal Trade Commission (FTC) and U.S. Department of Commerce will be responsible for monitoring and enforcement of these stronger obligations.
3. Indiscriminate mass surveillance of the transferred personal data is not permissible. In addition, clear conditions, limitations and oversight for access to this data by law enforcement authorities will be established.
4. Europeans will have new options for redress through the European Data Protection Authorities along with the FTC and the Department of Commerce.
5. The agreement also requires an annual joint review of the program by the European Commission and the Department of Commerce.

Here is the press release.

In my opinion these are all positive modifications, which are essential for operating in a global economy. Additionally, the use of model clauses (details on these in my previous article) will still have their place, and privacy policies that accurately reflect what information you are collecting – including where that information is processed, transmitted and stored – will continue to be important.

As a security and privacy practitioner, I believe this will further emphasize the need to practice privacy by design.