EU-U.S. Privacy Shield: How Snowden (and Schrems) Led the EU to Armor Up

In any other year with less bad news, more attention might have been paid towards the adoption of the EU-U.S. Privacy Shield, a transatlantic agreement that will fill in the hole left by the invalidation of Safe Harbor last October. While this isn’t exactly evening news material, it is a big deal for companies who rely heavily on the trade of transatlantic consumer data — so basically, all international internet businesses. To give a sense of scale, back in 2012, the U.S. exported $140.6 billion of online goods and services to the EU and imported $86.3 billion — it doesn’t take much to imagine the amount of data involved there.

Privacy Shield takes a more aggressive approach to data privacy than did Safe Harbor, reflecting the diverging attitudes toward online privacy in the U.S. and Europe. In western Europe there is an increasingly prevalent belief that privacy is a basic human right, putting it in the same category as free speech, freedom from slavery, and the right to a fair trial. Here in the U.S. of A, on the other hand, privacy is viewed as more of a consumer right, placing it in the realm of EULAs, nutrition labels, and mattress tags.

This point was made especially clear in 2013, after Edward Snowden revealed the NSA’s illegal data collection practices. Austrian privacy activist Maximillian Schrems took his concerns over Facebook’s data transfer practices all the way to the European Court of Justice, which subsequently held in October 2015 that Safe Harbor provided insufficient protection through its lax opt-in framework.

That’s not to say that Safe Harbor was all bad. Introduced in 2000, Safe Harbor was a first attempt at consumer protection, crafted in a more innocent time when most people were still skeptical about the Internet as a means of international commerce. Most people couldn’t even really explain what the Internet was.*

As a voluntary self-certification program, businesses could either perform a self-assessment to verify compliance or hire a third-party to do it for them. At a $100 a year, Safe Harbor was a nod and a wink to consumer data privacy, and helped grease the wheels to an explosive growth in trade between the U.S. and the EU.

Privacy Shield, on the other hand, was crafted in more trying times. The ‘Shield’ is really for the Europeans. That should give you an idea, by the way, for how the rest of the world thinks of the U.S. (hint: it’s not our propensity to overshare on social media). Notably, it includes written commitments and assurances around personal data access by government, as well as the threat of sanctions and the exclusion of companies that either violate privacy or fail to provide redress. And although Privacy Shield is still a voluntary self-certification program, once a company makes the public commitment to comply with the requirements, the commitment will become enforceable under U.S. law.

Basically, it comes down to the following:

  • U.S. companies must post a very detailed privacy policy on their website;
  • U.S. companies must allow Europeans to opt out of certain kinds of data sharing with third parties;
  • U.S. companies must comply with access requests and limit data processing to only that which is “relevant” to the purpose for which it was collected;
  • U.S. companies must delete personal data which is no longer being used for the purposes for which it was originally collected;
  • EU citizens and organizations will have new tougher complaint and redress mechanisms; and, if all else fails,
  • U.S. companies that attract the ire of the Fair Trade Commission (FTC) must publicly share the nature of their non-compliance — a scarlet letter of sorts.

Setting arguments for the shortcomings of Privacy Shield aside, it is a vast improvement in data privacy protection over Safe Harbor, as well as a neat demonstration that when push comes to shove, people can change the way countries and corporations do business to better protect individual interests. That said, let’s see how long Privacy Shield lasts before we decide we need to change things up again.

For more information on how Privacy Shield will affect you or your company, check out the following links:

*This was six years before former Alaskan Senator Ted Stevens would say, “The internet is not a big truck. It’s a series of tubes.”