Eimi Harris Society, Culture, and Security

The EU-US Privacy Shield: What You Need To Know About Data Transfers

Many of us take the internet and its ability to access information from any point in the world for granted. Often times, this means that the practical implications of information movement are overlooked. Although cyberspace itself may lack physical territory, the personal data put into accounts online are still stored in physical servers scattered all over the world. As that data crosses national borders, a number of international political factors come into play.

As seen in the most recent data-transfer plan between the EU and US, information movement is no exception to the politics associated with the movement of goods across territorial lines. The press release distributed by the European Commission on February 2, 2016, outlined the creation of the EU-US Privacy Shield, a new regulatory agreement monitoring and facilitating transatlantic data flows for EU consumer privacy protection.

To understand the full extent of the EU-US Privacy Shield, it is important to know about Safe Harbour, its predecessor. As the EU has privacy laws that forbid the transfer of EU citizens’ information out of the EU, the Safe Harbour agreement granted an exception for data movement to the US, where the US government promised “to protect EU citizens’ data if transferred by American companies to the US.” This agreement had two major obligations: American companies (particularly those like Facebook and Google) would uphold a commitment to protect EU data on US servers, and the US government would respect the privacy of EU data flowing into its territorial jurisdiction.

After the Snowden leaks revealed that EU data may have been analyzed by US security agencies, however, the European Court of Justice ruled that Safe Harbour violated EU citizens’ privacy and was no longer a legitimate agreement. While larger companies like Apple and Google, with their own policies meeting the EU’s privacy standard, were not seriously affected by the end of Safe Harbour, smaller companies offering transnational digital services have had a harder time proving they have the necessary measures required to ensure data security as it moves across the Atlantic.

The EUCJ ruling was made in October 2015. While digital consumers may not have noticed any changes in online services, this means that data and privacy protection have not been highly coordinated between the EU and US for close to four months. Considering how important some of the personal information moving across the Atlantic may be, that is an extremely worrisome reality for many EU citizens.

In that regard, the new EU-US Privacy Shield is a much needed development for both business operations and EU citizens’ privacy. The major obligations of the new agreement, many of which were built up from Safe Harbour, were listed in the press release. For businesses, it will continue to hold companies responsible for privacy methods and adds further compliance-monitoring by the US Department of Commerce. Additionally, as a response to the EUCJ’s Safe Harbour ruling, the Privacy Shield has secured the US government’s assurance that, with the exception of national security purposes, access to EU citizens’ data will be much more limited than before; the agreement includes working on creating bodies to monitor that obligation.

Businesses, as one of the bodies most affected by data flow capabilities, have expressed support for this new plan so far. Anthony Walker, deputy chief executive of TechUK, elaborated that “businesses large and small across Europe need reliable and affordable legal mechanisms to enable the data transfers that underpin their operations and ability to serve customers…The fact that EU and US negotiators have worked day and night for several months to secure this agreement reflects how important transatlantic data flows are to global digital economy.”

Privacy bodies, however, have expressed worries that the Privacy Shield will not be any better for EU privacy than Safe Harbour. One concern is that the US has only given written assurances rather than formal procedural changes, meaning that practices improving EU citizens’ data’s security in the US are not guaranteed. Another concern is that adding the Department of Commerce and Federal Trade Commission as compliance bodies in the US will only increase bureaucratic weight for privacy complaints.

This first instalment of the Privacy Shield is only temporary and will be studied by EU bodies to ensure its effectiveness in the coming weeks. For now, we can say that the Privacy Shield will be helpful in facilitating data movement. In the end, though, we have to remember that what happens to data from the EU is not limited to those in the EU. When it comes to the internet, these issues of privacy and secure transfers impact everybody’s information. So even if the EU-US Privacy Shield may not directly apply to data from Canadian citizens, it is important to at least be aware of the politics surrounding your data and overall privacy.

Eimi Harris
Eimi Harris is a student working towards her undergraduate degree in International Relations and Economics at the University of Toronto. Her main focus in international affairs is cybersecurity, particularly diplomatic relations and normative development in the cybersphere. On the side, she enjoys watching films and is also working towards her Cinema Studies degree.