Recently, the announcement of the EU-U.S. Privacy Shield seemingly has put to rest the complexity surrounding Safe Harbor. With a slew of new documents explaining principle and structures, Privacy Shield is being heralded as the end of the uncertainty over transatlantic data transfers. Even with having new regulatory paradigms, this may not be as easy of a task to accomplish, however.
Privacy Shield is far more complex than its predecessor, Safe Harbor. Having to adjust to a new landscape of binding governmental enforcement and increased responsibilities placed on private companies in the U.S. is the likely fallout. 2016, as described by Legaltech News, will undoubtedly be a year of transition when business and law firms begin the extensive undertaking of steering their information governance structures, e-discovery processes, and business operations towards post-Schrem standards.
What is truly protected under this agreement?
Much of the uneasiness from U.S. businesses comes from the fact that the EU commission isn’t scheduled to finalize the agreement until June. In the meantime, businesses find themselves deciding on whether to rely and comply on a basis (which can change in the coming months) or disregarding Privacy Shield all together. Everyone seems to agree that it is imperative that a solution happen. The fall of Safe Harbor has left many with too few options for moving data and the hush from European regulators about what good solutions look like is not too comforting to those on either side of the Atlantic.
Experts have advised on whether Privacy Shield is the best solution for their data transfers. Due to the agreement’s complexity and signoffs, businesses could accrue additional risk and expenses. Some of those experts point to the Binding Corporate Rules, in which firms can gain similar verifications and Data Protection Authority signoffs thereby ensuring global coverage.
“What I see at the moment is that instead of the Shield, a lot of companies are putting in place standard contractual clauses or intra-group data transfer agreements as a kind of sticky plaster to solve the immediate noncompliant issue,” Moerel explained. “But for the longer term, I see companies looking at Binding Corporate Rules, because the new regulation includes an accountability requirement for having a compliance program basically.”
Rocky road ahead? Definitely. Subscribe to the Microsystems blog for more information in the coming months.