Anyone who markets to countries in the European Union (and so is transferring data from the EU to the United States) knows that the Safe Harbor program has been made null and void. You probably also know that most businesses can provide Model Clause contracts for companies who are concerned with cross-border data transfers. These are standard contractual clauses that the European Commission has said “provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.”
The shorthand is that these clauses are an adequate method to ensure compliance. But they fall short of the broad umbrella that’s needed: a framework to bridge the differences between various countries’ approaches to privacy, and provide a streamlined means for U.S. organizations to comply with EU data protection laws.
Everyone is in agreement that privacy is good for business. The Safe Harbor program served us well in the pre-digital market, but it’s time to move on.
So: what’s next to replace Safe Harbor? Ladies and gents, let’s get ready for the upcoming Privacy Shield (not to be confused with superheroes and the like, who actually carry shields).
In April 2016, the new EU General Data Protection Regulation (“GDPR”) became law in the European Union, replacing existing EU and national data protection laws. This is a set of laws to standardize privacy and data protection intra-EU, and it’s intended to take effect in 2018. (Read about the GDPR and Brexit)
The Privacy Shield is the proposed new legal framework for transatlantic data flows. It’s designed to reestablish a legal framework for EU–U.S. data flows. Like Safe Harbor, Privacy Shield is a joint effort between the U.S. Department of Commerce and the European Commission.
Here’s an overview: