Last month, the European Union and the United States reached a new agreement on European data protection. The agreement, which goes by the name EU-US Privacy Shield, replaces the old Safe Harbor agreement, which was repealed by the European Commission at the end of 2015. However, the new agreement has not yet been officially ratified, a process that will probably take months. But what does this mean for your organization?
The end of Safe Harbor
It is prohibited, by European privacy laws, to store personal data of European citizens in countries where their privacy is not sufficiently guaranteed. There are eleven countries outside the EU that are considered safe enough to store this data. Among them are Canada, Switzerland and Israel. The United States is not one of those countries. To solve this problem, however, the EU and the US reached the Safe Harbor Agreement in 2000.
The Safe Harbor agreement made sure that American companies had to safeguard the European privacy rules, in order for them to store personal data of European citizens on American servers. The same holds true for data of American companies which is stored in European datacenters.
Unfortunately, the European Court of Justice invalidated the Safe Harbor agreement in October 2015. The court ruled that the privacy of European citizens could no longer be guaranteed on American servers. This was in large part a result of the revelations of whistle-blower Edward Snowden about the massive collection of personal data of European citizens by the NSA.
The new EU-US Privacy Shield
Earlier this month, on February 2, a new agreement has been reached on the subject. The new agreement is called EU-US Privacy Shield and it contains new rules to safeguard the privacy of European citizens. Unfortunately, the text of this new agreement has not yet been made public, so there is not much we can say about the details of the Privacy Shield. What we do know so far is that the US government has promised to no longer perform mass surveillance on European data. They will also appoint a so called data ombudsman, where Europeans can submit their complaints. There will also be an annual evaluation on the treaty.
Will the EU-US Privacy Shield solve the problems with data privacy?
That is something we don’t know at this time. As said before, we don’t know the full contents of the Privacy Shield. It also hasn’t been officially approved yet, process which may take until June or possibly later. In the meantime, no one will get fined for storing European personal data on American servers. There’s also no guarantee that the agreement will be approved in its correct form or possibly at all. So if you really want to be certain that you won’t get fined for handling private European data, it is might be best to look for a storage solution within the EU and with a European company.