|
 Restive regulators in Europe are gearing up to enforce tough privacy
laws and further court challenges await, activists say.
The breakdown of the main framework for providing legal cover for
cross-border data transfers has companies large and small racing to
find workable alternatives. These range from stricter data-handling
policies to new technologies or paying to lease datcenters based in
Europe.
Companies, facing renewed threats by privacy regulators,
find themselves on legal thin ice with many of the existing
procedures for managing cross-border data flows, experts say.
Google, Facebook and other big Internet services which transfer
mountains of data globally are likely to be the first targets in any
regulatory crackdown, they said.
Hailed as a "Privacy Shield" by European Union and U.S. negotiators
who reached the new cross-border data sharing agreement, the deal
faces a labyrinthine approval process before the new rules have any
chance of coming into force.
"Once it becomes available, businesses will want to be cautious
about signing up to Privacy Shield given the potential legal
challenges that special interest groups have already suggested they
will be considering," cautioned Marc Dautlich, a partner with
Pinsent Masons in London.
TOUGH ON PRIVACY
Cross-border data transfers are used in many industries for sharing
employee information, when consumer data is shared to complete
credit card, travel or e-commerce transactions, or to target
advertising based on customer preferences.
Since 2000, up to 4,500 U.S. companies had come to count on a simple
set of rules, dubbed Safe Harbour, allowing them to self-certify
they complied with privacy principles for personal data transfers
from Europe to the United States. Many other firms, especially
fast-growing start-ups, did nothing to comply.
In October, the European Court of Justice threw out Safe Harbour. In
a landmark decision, it ruled the mechanism provided inadequate
protections under European privacy laws against the sorts of spying
by U.S. intelligence agencies revealed by former NSA contractor
Edward Snowden in 2013.
Independent-minded national privacy regulators say they need to know
more details about the so-called "Privacy Shield" but many openly
doubt the agreement can bridge the gulf between the two continents'
privacy practices.
"Transfers to the U.S. cannot take place on the basis of the
invalidated Safe Harbour decision. EU data protection authorities
will therefore deal with related cases and complaints on a
case-by-case basis," Europe's national privacy regulators said in a
joint statement on Wednesday.
The data commission for Schleswig-Holstein, Germany's most northern
state, said it was prepared to take action on national data
protection rules if citizens file complaints.
[to top of second column] |
The regulator warned in October that firms found in violation of
German data protection rules could face fines up to 300,000 euros
($335,000). Across the region, multi-million euro fines could be
imposed on offenders and commercial transfers of personal data
prohibited, privacy experts say.
SEARCHING FOR OPTIONS
An alternative form of legal compliance offered by the EU are
"standard contact clauses", or "model contracts", which require
companies to spell out exactly what data is being transferred to
what U.S. companies and the measures to be taken to ensure
compliance with European privacy law.
Some national data authorities offer what is known as "binding
corporate rules" (BCRs), which companies mostly use for cross-border
employee data transfers inside their organizations. But BCRs can
take up to 12-18 months to be formalized, while model contracts can
take days or weeks.
However, many regulators and privacy experts say that the same high
court ruling that struck down Safe Harbour may also render model
contracts and BCRs invalid, making them only a temporary safe haven
for meeting European rules.
Using technology to keep data within Europe's borders is a longer
term, if pricier solution. Leasing datacenters based in Europe
rather than relying on centralized U.S. servers has started to take
off over the past year or two.
That's an approach huge cloud-based software companies Microsoft and
Amazon.com and specialist datacenter providers have begun offering
to customers to meet a patchwork of data residency requirements in
Europe.
U.S. file-sharing company Syncplicity has introduced software that
keeps sensitive corporate data created in Europe within the region,
offering new ways to store data in the cloud locally. ($1 = 0.8932
euros)
(Editing by Keith Weir)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
