In 1995 the EU adopted the Data Protection Directive regulating the exchange of personal data within the European Union and requiring the prohibition of those flows to third countries with inadequate privacy protection. In July of 2000, the European Commission judged the principles of the US-EU Safe Harbor Framework “adequate” in terms of providing data protection. The Safe Harbor Privacy Principles included Notice (think “Notice Of Privacy Practices”), Choice (think “opt out”), Onward Transfer (think “satisfactory assurances”), Security (think “safeguard), Data Integrity (think “relevant for the services being provided”), Access (think “access and amendment”) and Enforcement (think “recourse for non-compliance”).
Unfortunately, in October 2015, Safe Harbor was struck down by the European Court of Justice when an Austrian privacy campaigner alleged that documents leaked by Edward Snowden included his personal information on Facebook which was transferred from Ireland to the U.S. Yikes! According to an article on Data Breach Today by Matthew Schwartz, the implications of a censure on personal information transfers between the U.S. and the E.U. would be significant as data transfers are “the lifeblood of many organizations” from insurance information to credit card transactions to pharmaceutical research and beyond.
With Safe Harbor now deemed “invalid,” U.S. negotiators were able to re-establish “adequacy” of protection by promising to apply the code of fair information practices outlined in the Privacy Act of 1974 to EU citizens. Nicknamed the Privacy Shield, the code governs the collection, maintenance, use and dissemination of information about individuals maintained by federal agencies and will take effect on February 1st.
But an executive order titled “Enhancing Public Safety in the Interior of the United States” signed by President Trump on January 25th may undermine the Privacy Shield. Section 14 of the order instructs federal agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Oops
But wait! Maybe not….preliminary analysis by legal experts note that the executive order says that it will apply “to the extent consistent with applicable law” so perhaps won’t undo the Privacy Shield after all… but it remains to be seen if that will be sufficient to calm the fears of EU citizens.
In another twist, in an effort to aggregate multiple country laws in Europe, the EU overhauled its data protection and privacy laws and passed a new General Data Protection Regulations in 2016, although it won’t be enforced until May 2018. Among other things, European data protection authorities will be able to fine companies who do not comply with EU rules with up to 2% of their global annual turnover.