You may recall our previous posts about the drafting and negotiation of the EU-US Privacy Shield, the law designed to implement a data sharing agreement that sets specific privacy standards for companies sharing information between the European Union and United States. The Privacy Shield law has now been adopted, and will go into effect on August 1. After that date, companies can apply for Privacy Shield certifications. While it may seem to be time to rejoice for consumers and American companies doing business overseas, there remain quite a few questions with the new law.
First, it is uncertain whether the Privacy Shield will be able to withstand judicial scrutiny. The prior law governing information sharing between the United States and the European Union, the EU-US Safe Harbor program, was invalidated by European courts, necessitating the development of the Privacy Shield in the first place. Certainly the new law, which the Wall Street Journal has described as “more robust than its predecessor”, was drafted to comport with the EU’s recent General Data Protection Regulation and with that prior ruling in mind. Nonetheless, there will be legal challenges to the Privacy Shield by consumers. United States laws on privacy and data security get tougher by the day, but they remain market friendly and fall short of the consumer protection offered by European courts. Based on history, one cannot say with full comfort that the new law will withstand judicial rigor.
Second, the recent vote on Brexit complicates the situation. Will law similar to the Privacy Shield be adopted in Great Britain? If not, will the US and Great Britain adopt different standards to govern the transfer of information? Will those standards be higher or lower than the EU? And what impact will discussions between the EU and Great Britain in the privacy realm have on United States companies? Presently, these questions remain unanswered, although one can certainly presume that there will be some standards negotiated and put in place in the near future.
Despite those questions, the adoption of the Privacy Shield still provides companies with some comfort because they now know the standards by which they may operate. With respect to the EU, companies may now do away with whatever patchwork solution they crafted after the Safe Harbor agreement was abolished, and know the framework for any information sharing going forward. In addition, those standards will mesh better with existing EU privacy laws. This is a signal to companies that do business in Europe and seek Privacy Shield certification to review their policies and procedures on the storage and transfer of information.