With the introduction of the provisional Privacy Shield EU to US agreement last month, we look at what it is, what it means for US business, and the wider implications for the international business community as a whole.
What is Privacy Shield?
Privacy Shield is a transatlantic data protection agreement between the EU and the US. It stands in place of Safe Harbour Privacy Principles – an agreement that was culled back in October last year by the European Court of Justice.
In short, Privacy Shield is an arrangement demanding US companies provide more stringent protection of European personal data. It demands that there is clear monitoring and regulation of how US companies can access, transfer and use Europeans’ data.
For the first time, Europeans will be able to clearly enquire and complain about the use of personal data in the US if it isn’t fulfilling the limitations set out by the Privacy Shield agreement.
What Does Privacy Shield Mean For Businesses?
Privacy Shield is born out of necessity, as US tech giants increasingly transfer and leverage worldwide data. Previously, EU to US data transfer has been virtually unlimited and there is increasing recognition of the problems this can bring.
US businesses will now have a burden of responsibility to prove they’re protecting the privacy of European citizens. We should expect to see an increase in regulatory process for US companies operating abroad, along with a more accessible complaints procedure for EU citizens.
In principle, Privacy Shield is a positive development. It enables US companies to continue the transfer of data across country borders, which is obviously a necessity in the world of international business. At the same time, it’s a movement towards providing greater individual protection – which can only be a good thing.
However, the Privacy Shield agreement doesn’t come without its problems.
The agreement has been somewhat rushed, hammered out under pressure and therefore leaves much uncertain. Final approval for Privacy Shield has not yet been secured – and given the bureaucracy involved, it could be months before a solid agreement is in place.
Detractors of the Privacy Shield agreement would argue that it fulfils neither of its two ostensible goals: to allow US business to continue to transfer data internationally while allowing protection of EU citizens’ rights. The counterargument would be that such agreements are intended to cripple US tech giants, while doing little by the way of offering real protection to citizens.
Privacy Shield Is Not Enough
The fact is this: Privacy Shield is not enough. Data protection is more complex than any such agreement implies, and simply regulating international movement of data isn’t sufficient.
Recent studies have shown that more than 70% of UK businesses fall down on cyber security, which speaks to the need for businesses to redress their wider data protection practices. While ensuring data is securely transferred abroad is no doubt important, it’s by no means the full picture.
We live in an increasingly digital multi-device, multi-channel world, and as such we’re increasingly vulnerable to Cyber Crime. Companies are more exposed than they’ve ever been before, and simply complying with international data transfer and residency agreements isn’t enough to plug the gap.
Instead, businesses need to take a broader and more holistic approach to data protection. All digital touchpoints throughout the business must be secured, or you risk the data integrity of your organisation.
We don’t have long until mistakes of this kind will warrant a severe financial penalty. The General Data Protection Regulation will come into effect next year, and will impose severe fines for businesses allowing data breaches. While reimagining cyber security and defence is no doubt an investment, it’s one worth making – if for no other reason than to safeguard your business against the GDPR fines.
It’s no longer acceptable for businesses to take a vague stance on data protection. Creating a secure data environment is one of the biggest concerns facing businesses today, and requires a significant strategic rethink. Cyber security must be addressed at both Board and grassroots level, the principles of sound data protection embedded throughout the enterprise.
It’s for this reason that Privacy Shield cannot be taken as a comprehensive solution. Compliance is not enough. Rather, businesses must be proactive about their data protection strategy if they hope to weather the changes the future brings.