In October of 2015, the European Court of Justice issued a judgement declaring the Safe Harbor program to be invalid, ruling it does not adequately protect consumers. The Safe Harbor agreement was made to allow the transfer of EU citizen data to companies in the US through self-certification, so any data transfer that has occurred since the abolishment of the Safe Harbor rule could be in violation of EU privacy laws, unless model contract clauses were put in place. This has been, of course, problematic for global organizations, with speculation that some firms are now under investigation.
A new agreement, referred to as the EU-US Privacy Shield or referred to as Safe Harbor 2.0, was reached on February 2, 2016. The European Commission released details on the Privacy Shield on February 29th, 2016, as well as a frequently asked questions brief. Although the agreement is currently still only tentative, some do not believe enough progress has been made to get the stamp of approval from the European Court of Justice.
The new Privacy Shield framework for the exchange of personal data places stronger obligations on organizations in the US to protect the personal data of Europeans, including stronger monitoring by the US Department of Commerce (DoC) and the Federal Trade Commission (FTC). The agreement will include sanctions or exclusions for organizations that do not have in place effective policies to protect data.
Addressing concerns over the use of data by public authorities on national security grounds, specific limitations and safeguards have been put in place to prevent the generalized access to data by the US government. The details of the new Privacy Shield are being implemented both in the EU and in the US. Since the new framework is not in place, organizations that operate in Europe are still in the same legal grey-area.
Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, have created a complex environment for IT data security. Invest in security measures now to ensure that your organization is able to keep customer data secure at the highest level of legal requirements, worldwide. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.