Blog – Safe Harbour 2.0 Gets The Greenlight

Privacy_Shield_Datenschutz-595x440   ansip-b-001

The next major raft of data legislation kicked into effect on 12th July 2016, with the European Commission’s official adoption of the EU US Privacy Shield framework.  These measures will ensure the protection of EU citizen data in its transfer to the United States.

“We have approved the new EU-US Privacy Shield today. It will protect the personal data of our people and provide clarity for businesses,” said Andrus Ansip, the EC’s Digital Single Market VP.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions”.

Known as Safe Harbour 2.0, this agreement will help firms to move personal data either side of the Pond without breaking strict EU data transfer rules.  After many re-drafts, the EC believes the new framework is now robust enough to protect the data of European citizens.

Obligations and compliance overseer
The US Department of Commerce will be the body responsible for checking that those companies participating who have signed up to the framework, are duly following the rules.  Failure to do so will result in them facing sanctions and being struck off the list.  Additionally, the same levels of protection will apply to any personal data that is forwarded by third parties.

Safeguards and transparency around US government access
The EU has been assured that public authorities access for law enforcement and national security remains subject to clear limitations, safeguards and oversight mechanisms.  The US will not be allowed to undertake indiscriminate mass surveillance of personal data of EU citizens and every EU citizen will forthwith benefit from redress mechanisms.

Individual rights redress
Under the Safe Harbour 2.0, any citizen who considers that their data has been misused will be able to refer to a number of accessible and affordable dispute resolution schemes. Ideally, the complaint will be resolved by the company directly in the first instance, or free of charge Alternative Dispute resolution (ADR) solutions will be offered.

EU US annual joint review
The Privacy Shield scheme will be jointly reviewed each year annually by the European Commission and the US Department of Commerce. Their respective national intelligence experts from the US and European Data Protection Authorities will collaborate to assess all sources of information available and issue a public report to the European Parliament and the Council.

So where does this leave the rights of UK citizens post Brexit?
We need to remember that until Article 50 is signed UK citizens are still EU citizens and therefore we all benefit from these changes. In point of fact the General Data Protection Regulation (GDPR), which comes into effect in May 2018, will become law in the UK as we will still be part of the EU. Additionally, the Information Commissioners Office (ICO), has already stated that any re-draft of the UK Data Protection Act would have to take into account both the GDPR and Safe Harbour 2.0

The changes we have seen so far and the adoption of a single European Data Protection Law leads me to consider the question “Would a Global Data Protection or Global Data Transfer Regulation?” much like the International Standards help safe guard every citizen?

Microsoft moved to build new EU datacentres

In response to the collapse of the Safe Harbour Agreement of 2000 on 6th October 2015, and following meetings and conversations between EU and US regulators, Microsoft has announced it will invest $2 billion in infrastructure development across Europe. This is addition to confirming the completion of the latest phase of improvements to its existing data centres in Dublin and the Netherlands.

This new investment will enable Microsoft to provide secure commercial cloud services for its customers and address the sovereign issues of data transfer and compliance that the lapse of legal reference created by the scrapping of Safe Harbour created on 21st October 2015.

Once the new datacentres are up and running (planned to open late 2016), Microsoft will be able to replicate data within the UK for backup and recovery (vs the current failover of data going to the US from Europe).  General Manager of Microsoft UK, Michael Van der Bel said, “This will help meet demand from those who want their could systems based in the UK and now they can meet the strict regulations of the banking, financial services and public sectors”.

It is good news for compliance within Europe, but the EU and US still need to work assiduously to thrash out a legal plan before the end of January 2016 when fines will kick in for non-compliance, to ensure that transatlantic business data can still traverse fluidly and securely across the Pond, avoiding nation fragmentation and an MSP administrative mess.
6864_Microsoft-Logo2_png-450x02