What does the EU-US Privacy Shield mean for Britain’s small firms?
The Privacy Shield will be relevant to your business if it transfers personal data to the US
Writing for Business Advice, law firm Wright Hassall’s Samantha Woolley takes a close look at how Britain’s small businesses might be affected by the new personal data transfer measures set out in the EU-US Privacy Shield.
This Privacy Shield, which was announced by the European Commission on 29 February 2016, provided a revised mechanism to legitimately transfer EU citizens? personal data to the US. Whilst we wait to see whether it will be formally adopted, small businesses that transfer data to the US should be prepared for its arrival and evaluate all data transfers made to the US.
How will the Privacy Shield affect small firms?
If your business transfers any information relating to an identifiable living EU citizen to any country outside the EU, you must comply with EU data protection rules. This includes carrying out due diligence on the companies that you transfer data to and ensuring that your contractual relationship is sufficient to safeguard any personal data transferred.
The Privacy Shield will be relevant to your business if it transfers personal data to the US by any means. Common examples of ways in which small businesses might transfer data to the US are:
using online facilities to process payments
outsourcing data to third-party processors in the US
using cloud storage providers
using a website hosting provider
If you use any of the above services, or anything similar, you should check your terms and conditions with these providers to see where the data is being processed, stored or hosted.
Why is the Privacy Shield needed?
In order to protect personal data relating to EU citizens, EU law prohibits such data being transferred to countries which do not ensure an adequate level of protection. The EU does not regard the US as having a sufficient level of protection for EU citizens? data. However, an agreement between the EU and US known as Safe Harbor? was established in 2000 to allow US companies to self-certify that they would adequately protect data transferred to them.
Following a high-profile case against Facebook for transferring data to the US National Security Agency (NSA), in October 2015 the EU’s court of justice ruled that Safe Harbor was no longer an adequate mechanism for transferring data to the US.
Following several months of uncertainty and negotiation, the EU and US have now agreed upon the Privacy Shield as a revised mechanism of legally transferring data to the US.
What is the Privacy Shield and how is it different to Safe Harbor?
The Privacy Shield is essentially a list of principles that US organisations can self-certify that they comply with. The principles are designed to safeguard data to the same standard as it would be protected within the EU. The US will maintain an up to date list of members which can be relied on as a basis for legally transferring data to an organisation on the list.
This is the same format as Safe Harbor, however, the principles under the Privacy Shield impose stronger obligations on companies and is more rigorous than Safe Harbor because:
The Privacy Shield will contain limitations on the US government’s ability to access such data
The US government has given assurances that it will not carry out mass surveillance operations on EU citizens? data
Compliance with the Privacy Shield principles will be actively monitored and enforced by US authorities
There will be sanctions on companies for failure to comply
EU citizens will have the same rights as US citizens if their privacy is breached and there will be a number of accessible avenues of redress for EU citizens
An annual review will take place to ensure that it remains effective
What should small business owners be doing?
The current situation is uncertain because the Privacy Shield has not yet been formally implemented. Transferring data on the basis of Safe Harbor is no longer adequate however, there are other means of legitimately transferring data to the US, such as including specific model contract clauses in agreements with US companies.
The term cloud-based? is one of a large number of computing terms that have become very fashionable to band around in recent times, but I wonder how many people actually know what it means and the relevance to our business lives? more»
New EU data protetction legislation could see small businesses losing out unless efforts are made to properly understand the impact of the new laws. more»
Jon Cano-Lopez explains that while the past few months have uncovered a shocking lack of understanding and preparedness for data breaches among UK companies, there are certain techniques small businesses can employ to mitigate risk. more»