Max Schrems nudged himself into the international spotlight in his early twenties.
The Austrian law student and privacy activist was not yet 25 when he filed a complaint against Facebook, arguing that the social media company indiscriminately accessed his personal data.
Schrems requested what personal information the social media platform had collected and was shocked to find a number of items kept by the company, including a private message regarding a friend’s medical condition.
His complaint ultimately was handled by the European Court of Justice, and upended the Safe Harbor data laws, rescinding the nearly two-decade-old legislation and replacing it with the EU-US Privacy Shield. Today the Privacy Shield is the law of the land when it comes to the transatlantic transfer of data.
Across The Sea
The Privacy Shield oversees data transfer from countries within the European Union to the United States. The law went into effect in July of 2016 and allows companies to self-certify to its requirements. Under the new legislation, the U.S. Department of Commerce oversees self-certification by American companies and enforces the law’s standards.
Schrems argued the fact that Facebook’s Ireland offices were sending his (and other users’) data overseas to the U.S. In the end, the CJEU ruled that Safe Harbor “did not adequately protect personal data from ‘interference’ from the US government ‘founded on national security and public interest requirements.’”
Since its inception, there’s been criticism of the new EU-US Privacy Shield law, with some saying the directive still doesn’t do enough to protect citizens’ personal data. However, for the time being, it’s the rule when it comes to data transferred across the Atlantic.
EU-US Privacy Shield Requirements
It is not a requirement that US companies seek self-certification, but once they do, their adherence to the Privacy Shield is enforceable by law.
The new legislation seeks to give citizens more insight into how their data is transferred, as well as the option for recourse in the event that their information is not properly handled. Among its rules, the EU-US Privacy Shield has seven main principles:
Notice: Under the Privacy Shield, individuals must be informed what data of theirs is being stored, how to contact the certified agency, and options for remedying complaints submitted. Among other things, individuals also need to be made aware of where their data is going and the access they have to it.
Choice: The law lets individuals decide, in certain situations, when to choose to opt out of submitting their information to certain third-party groups and also requires consent from individuals when disclosing sensitive personal information.
Accountability for Onward Transfer: This requirement deals with the transfer of data, and was put in place to make sure that information is transferred “only for limited and specified purposes,” and that third party information handlers have adequate security measures in place.
Security: This standard requires companies to “take reasonable and appropriate measures” to protect data while transferring it.
Data Integrity and Purpose Limitation: Data that’s transferred must be relevant “for the purposes of processing,” and Privacy Shield-certified organizations also have a responsibility to only hold on to certain data for the amount of time necessary for transfer purposes.
Access: Individuals need to have access to their personal information that’s being held, and, in the event of incorrect information, the ability to change it.
Recourse, Enforcement and Liability: Companies abiding by the Privacy Shield law must develop actions for remedying non-compliance and also need to be held accountable when non-compliance occurs. This principle ensures that organizations can be held liable when they fail to comply with Privacy Shield regulations.
An Uncertain Future?
As we learned from the Schrems case, legislation doesn’t always last. And there’s a lot that’s yet to be seen with the Privacy Shield, especially as the General Data Protection Regulation is set to become law in May of 2018.
The Privacy Shield law has already been challenged in court and there are some who think it will face the same fate as the Safe Harbor legislation. So, the future of the Privacy Shield isn’t quite cut and dry.
But, what we do know is that issues of privacy and keeping data safe will continue to take center stage when it comes to international trade and commerce. This is especially evident after recent cyber attacks around the globe.
The laws might change, but the threat of compromised digital security won’t go away.
United Language Group will be hosting a webinar on the EU-US Privacy Shield on June 22. You can register here.