What is it?
Despite the name, it’s not a feminine hygiene product. It’s the long-awaited replacement for Safe Harbour, the data protection scheme allowing data on EU citizens to be exported to the US for processing. You can read more on this blog about why Safe Harbour needed replacing.
When does it take effect?
It was approved by the EU (in something charmingly called an adequacy decision) on 12th July. US companies can register with the US Department of Commerce from 1st August 2016.
What we don’t know is when we are required to comply with it – how long before passing data to a US company not registered with Privacy Shield will be a problem? I asked the ICO and got this answer from their representative:
I understand that the ICO are attending a meeting in Brussels this week where this will be discussed, at this point I would refer you to the EU Commission website for further information about this. Once the meeting has taken place we may be in the position to form a view on this.
How does it work?
US companies wishing to receive personal data of EU citizens have to self-certify with the US Department of Commerce. They agree to abide by the “Principles” – which can be summarised as inform, seek consent, protect, take responsibility, provide for complaint – and to inspection and oversight by a relevant trade body (currently the Federal Trade Commission and the Department of Transport). They don’t have to opt-in, but if they do, it’s all-or-nothing and enforceable. Apart from being thrown off the register, other penalties for non-compliance are not specified but appear to vary depending on the statutory powers of the relevant regulatory body.
Will it work?
Good question. Insufficient data at this stage, I think. Personally I think the “protect” principle is very weakly worded – here it is in its entirety:
Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Another one of those let’s-wait-for-the-test-case situations, I suppose. There’ll be one, inevitably, from Max Schrems or another EU privacy campaigner.
What will happen if we’re not compliant?
Another good question. Another insufficient data answer, too. I asked the ICO this and got a very similar response to the one I received in answer to my previous question:
I can only ask that at this point you wait until we have met attended [sic] the meeting. You may wish to contact us again possible [sic] next week where we may then have formulated a view.
So it’s already in force, but US companies can’t register until next Monday, nobody knows how long we have before not having registered becomes a problem, and no-one knows how much of a problem that will be. Business as usual in data-protection land, then.
(Footnote for Brexit-nerds – Privacy Shield also applies to Iceland, Liechtenstein and Norway. But they didn’t get to vote on it.)
A bigger picture 