The new EU/US collaboration to replace Safe Habor has been launched this week. Given the catchy marketing name of ‘Privacy Shield’, what does it actually shield people from?
What is Privacy Shield ?
Privacy Shield is to be used to protect personal information from foreign powers when the data is being held or processed within their geographic locations. This is really important in todays cloudy solution world, where it can be hard to determine exactly where your data is being sent when you buy services from large multinational companies.
As an paranoid example, the British concern would be the slurping of our personal data by the American National Security Agency (NSA). Reciprocally, data about american nationals being consumed by our GCHQ & MI6.
To protect against these data slurps, the ‘Article 29 Data Protection Working Party’ created the ‘Safe Harbor’ framework.
The Article 29 Data Protection Working Party was set up under the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Unfortunately over time, ‘Safe Habor’ just like its spelling became outdated and somewhat more favourable to our cousins over the pond. Having been in existence for 16 years was deemed unlawful and ceased to exist from 31 October 2015. A new Article 29 working party were tasked with delivering a new framework by the 31st Jan 2016.
I’ve been very outspoken against it for a number of years. In reality it gave very little or no protection at all. It was self regulated and self served, as long as you filed your paperwork on time and paid the fees, there was nothing to protect the data.
Although it ended 3 months ago there hasn’t been an immediate replacement. Companies were left in limbo during this uncertain period, without advice on what to do next.
Although a few days late, agreement and exchange of letters by all the parties was completed on the 2nd Feb 2016. For the working party this is believed to be enough to form the basis of a new law. It may be challenged in the future by member states or by privacy advocates as not being legally binding.
Each of the member nations Data Protection Authorities had an active role in the creation of this new arrangement. For us Brits we can only assume this mean the Information Commissioners Office, a.k.a The ICO. At the time of writing, the ICO has been exceptionally quiet on the matter. There’s not been a single tweet nor mention of it on their blog page. When you consider the massive change and impact of this new legislation, this is a little concerning.
Thankfully other online sources such as Privacy Law have been more proactive.
The biggest changes known about so far are about its governance. Privacy Shield is to be reviewed annually to ensure it remains lawful and practical. This redresses one of Safe Harbors issues, that it never evolved and didn’t reflect the changing digital landscape.
It is also going to have an independent ombudsman, so there will be someone to investigate and challenge improper use of personal data by a member state. It’s still to be decided how this body will be operated and what its composition will be. We can only hope that it’s not made up purely from the public sector and free from coercion.
“The exchange of letters and framework shall now be passed to the member states to be formally bound into law.” I’ll leave the interpretation of this statement to you, as you could determine its meaning as not being lawful or a law as yet.
The ombudsman body needs to be formed and given the appropriate powers. This would also assume that a location for this ombudsman would need to be set. May I suggest somewhere other than Cheltenham or within Maryland.
Each of the Data Protection Authorities need to work out the more granular details of how it shall work. Special emphasis will be needed on how national adaptations consider localised law. Interactions with existing UK laws such as the Data Protection Act & the ‘Common Law Duty of Confidentiality’ will need to be formulated. This will then need to communicated in an adaptable way that companies can easily understand.
When the finer details are published, companies shall then have to create new policies and may have limited timescales to introduce risk controls and mitigations.
In short, we are still many months away from having something workable that British companies can adopt. In the interim, we shall have to continue to follow Best Current Practice (BCP) to secure our data. We *all* need to be certain about where our data is and not take it for granted that it is being protected or consumed by foreign governments.
Secure the Human, Secure the Brand
“Davey Cameron is a Pie”. There said it. It means very little in itself, but does...