The United States and the European Union finally agreed on an update of its Safe Harbor accord on cross-Atlantic data transfer, but the new Privacy Shield policy has some molding and shaping to endure before it becomes reality. The deal still awaits initial evaluation from the Article 29 Working Party on a framework for data transfers. Also still needed is a mechanism for European citizens to bring complaints in the U.S. against American companies. In the meantime, here are three issues for marketers to consider.
Review your cloud providers. Robert Cruz, senior director of information governance at Actiance, a data security company, points out that the rapid massing of cloud services includes providers unequipped to move large blocks of data by government decree. “It’s going to require folks to think about the service providers they’re doing business with,” Cruz says. “You’re going to have to think about how can you move data out of that cloud service. Some cloud providers are not used to dealing with legal issues and some don’t make it easy to get your data back.” He recommends keeping an eye out for what happens in the Microsoft-Ireland case concerning a subpoena of data from Microsoft’s Irish data warehouse. It appears headed for the Supreme Court and its resolution will have great bearing on the future limits of global data access.
Multinationals, take stock of internal data flow. George Corugedo, CTO of data analytics provider RedPoint Global, has a U.S. client doing business with a large European retailer that won’t allow it access to any of its sales data on the European continent. “So, we have to have support staff located in the U.K. to get access to it,” Corugedo says. Depending on what precedents and processes emanate from Privacy Shield, large enterprises may suddenly find it more difficult and expensive to bring together data from its own operations in European countries to get a complete view. Privacy Shield may ease some of the complexity of cross-border data flow, Corugedo says, but it remains to be seen.
Keep an eye on what develops with surveillance law. As the Brussels-based director of European affairs for the Center for Democracy & Technology, Jens-Henrick Jeppesen has a front-row seat on European data regulation. He’s hopeful that Privacy Shield could improve protections of EU citizens’ data in the U.S. The wild card in how that turns out, he says, will be played not by businesses, but by government intelligence agencies. “Absent reform of U.S. surveillance law,” he says, “it’s highly unlikely that the Privacy Shield agreement will be deemed sufficient by the Court of Justice.” That would be the same European Court of Justice that nullified the Safe Harbor agreement last October. It promises to be a long process, as the U.S. must negotiate national security with each EU nation separately.
Expectations are that U.S. companies will not suddenly be inundated with complaints from European consumers. While Privacy Shield provides for Europeans to report privacy violations to the Department of Commerce and the Federal Trade Commission, FTC Commissioner Julie Brill last week said she expects the majority of them to file complaints with the Data Protection Authorities in their home countries.