July 24, 2018

What is the future of Privacy Shield?

First things first, let’s take a moment to look back before we look forward… What is Privacy Shield, and how did we get here?

Once upon a time, the EU and the United States had an agreement called “Safe Harbor” that allowed the transfer of data between the two territories without excessive need for legislative reform. This was a good thing, until it wasn’t.

We experienced a time of data-transfer uncertainty while the two governments negotiated a new data transfer agreement. This bad boy came to be known as “Privacy Shield.” As of July 12, 2016, once again all was good in the land of digital data transfers…or was it?

While both sides agreed Privacy Shield was better and more robust than Safe Harbor, Privacy Shield came under attack soon after it was launched. According to several privacy experts in the EU, it still lacked several things; data deletion standards, parameters around collection of “big data,” and clarifications of a privacy ombudsperson, or a government-appointed representative to speak for the general public, in the United States.

You likely know the story already. The government made promises to address and rectify these areas, and everyone felt good again. More than 3,000 companies registered to participate and agreed to meet the requirements and practices of the new Privacy Shield program. (Note: 250ok participates in Privacy Shield and will be actively monitoring this as it progresses to ensure ongoing compliance.)

However, in 2018 while the EU was preparing to go live with the General Data Protection Regulation (GDPR), the EU Parliament was still waiting for these promises to be fulfilled by their US counterparts. Foreseeing these may not ever come to fruition, a formal “Motion for a Resolution” for the future of Privacy Shield was put forth. That’s where we are today.

Within this motion are two key areas that could impact the future of Privacy Shield:

  1. It takes the view the current Privacy Shield arrangement does not provide an adequate level of protection required by the GDPR and EU Charter, as interpreted by the European Court of Justice.
  2. Unless the US is fully compliant by September 1, 2018, the Commission has failed to act in accordance with Article 45(5) GDPR. It therefore calls on the Commission to suspend Privacy Shield until the US authorities comply with its terms.

If the United States doesn’t implement any of the required changes, does this spell the end of Privacy Shield? There was some hope the California Consumer Privacy Act could save Privacy Shield, but it looks like it was too little, too late.

According to the IAPP, the EU commission voted on July 4th, 2018, 303 to 223 in favor of suspending Privacy Shield unless the US is fully compliant by September 1, 2018. Considering how changes have gone up to this point, this vote strongly signals Privacy Shield’s demise.

But wait! The decision to suspend Privacy Shield rests in the hands of the European Commission, which can choose to delay or ignore the result of this vote, and instead wait until after the second annual review of Privacy Shield, in October 2018.

We’ll stay plugged into the progress of all this as September and October draw near, so check back this autumn for the latest.

Author: Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (CIPP) with more than a decade of experience in email marketing. Matt is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

You may also like...

The Year in Email 2019

It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]

[Infographic] Global Privacy Relationship Status: It’s Complicated

I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]

The Year in Email 2018

*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]

Ready to get started?