There have been many changes in the privacy world in the last few years. People are becoming more aware and concerned with the way the government and the private sector are collecting and handling their personal data. With the GDPR being approved and replacing the Data Protection Directive in the EU comes the realization that data protection initiatives implemented by single governmental entities no longer only affect the residents and companies in those countries. Before the GDPR, the U.S-EU Safe Harbor framework was invalidated without an immediate replacement, leaving many organizations in limbo until the Privacy Shield was introduced and approved as its successor. These changes in regulation demands enterprises to truly reassess their personal data handling procedures. 2017 will be a busy year In the privacy realm.
GDPR and Directive changes
In 1995, the EU implemented the Data Protection Directive (Directive 95/46/EC) (Directive), which focused on the protection of individuals with regard to the processing of personal data and the free movement of such data within the EU. The Directive set a minimum legal standard under which the EU member states created their own data protection laws internally to meet that standard.
In 2012 the European Commission announced during the EU Data Protection Reform its intent to unify data protection laws across the EU with a new piece of legislation called General Data Protection Regulation (GDPR) to supersede the Directive. The new regulation would address the EC’s objectives to harmonize the 27 national data protection regulations into one unified regulation, to improve the corporate data transfer rules outside of the EU, and to improve user control over personal identifying data. On April 27, 2016 the new GDPR was adopted and is to be implemented by companies within a two year transition-period, by May 25, 2018.
The GDPR will be one of the major compliance initiatives in 2017. The new privacy model applies to any enterprise in the world that targets the European market in offering goods or services or profiles European citizens, and as a result, must process the personal data drawn from those member states. It has greatly enhanced the requirements organizations will be bound to to support the rights of data subjects.
Privacy Shield and Safe Harbor changes
The Data Protection Directive forbade the transfer of data to a country outside the EU if the country was not deemed to have adequate data protection laws. One of these countries was the US. US-based companies who relied on EU data subjects’ personal data for their business functions had to become Safe Harbor framework certified to meet the “adequate” standard dictated by the Directive. The Safe Harbor framework provided an alternative way to meet the adequacy standard and thus legally transfer personal data from the EU to the US.
The EU became increasingly concerned over American data protection and privacy laws when Edward Snowden revealed top governmental secrets about the US’ surveillance initiatives. The Max Schrems case followed challenging the data protection laws of the US and alleging that they did not meet the Directive’s requirements and therefore the Safe Harbor framework should be voided. On October 6, 2015, the Safe Harbor framework was ruled invalidated and the decision was effective immediately. This decision left the businesses that relied on the rule to legally transfer person data from the EU to the US in a lurch.
Stakeholders quickly gathered to create a replacement for the Safe Harbor framework. On July 12, 2016, the new EU-US Privacy Shield was officially adopted by the European Commission. Through the Privacy Shield, any findings of “adequacy” are binding to all Member States. Companies that are deemed “adequate” by the European Commission are able to legally transfer personal data outside of the EU under the Data Protection Directive. EU member states that require prior approval of data transfers will waive this requirement or automatically grant the approval.
2017 will provide for a lot of learning experiences as organizations grasp the new GDPR and the Privacy Shield. It will be interesting to see how these two privacy initiatives play out in real life as companies work toward compliance in the pursuit to be designated as “adequate” to work with EU data subject’s personal data across borders.