Brexit Concern As EU and US Agree To Strengthen Privacy Shield

government parliament big ben public sector failure disaster storm clouds © CristinaMuraca Shutterstock

The United States and EU agree to modify data transfer pact, but what now for the UK?

The United States and the European Union have agreed to changes to Safe Harbour 2.0 (or Privacy Shield), after an initial agreement was rejected by European Watchdogs for not being robust enough.

The two have agreed to stricter rules for companies holding information on Europeans and clearer limits on US surveillance.

But the UK’s shock exit from the European Union has raised data protection concern for firms based in this country.

Revised Deal

The revised EU-US Privacy Shield has been dispatched for review by European member states, according to Reuters.

A vote on the matter is reportedly expected in early July, and then the new agreement will become law.

All of this stems from the decision last October by Europe’s top court to strike down the original data sharing (Safe Habour) deal with the United States that had lasted fifteen years. In February this year the replacement agreement, now known as the Privacy Shield was agreed.

security and privacyThat proposed replacement was designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data transfer rules. But it failed to get the blessing of European data protection watchdogs, and they demanded much tougher regulations surrounding US surveillance practices.

In order to beef up the agreement, the US government has explained the specific conditions under which intelligence services might have to collect data in bulk. They also detailed the safeguards on how the data would be used.

A letter from the Office of the Director of National Intelligence, seen by Reuters, gave an example of the United States seeking information on the activities of a terrorist group in the Middle East believed to be plotting attacks against Europe. If Washington does not have information such as names, phone numbers or email addresses it would collect communications “to and from that region for further review and analysis to identify those communications that relate to the group,” the letter states.

“Thus, even when targeting through the use of specific selectors is not possible, the United States does not collect all communications from all communications facilities in the world,” the letter reportedly says.

The United States has also pledged to create a new privacy official, who will be responsible to deal with complaints from EU citizens about US spying. This official would reportedly be independent from the US intelligence services.

UK Exit

The transfer of personal data from the United Kingdom to the US was covered by the orginal Safe Harbour agreement, and then the revised Privacy Shield.

But following the shock decision by British voters to exit the European Union, some businesses could be concerned about the way forward.

But at least one expert suggests firms should not panic, but just carry on.

“In my view the long term impact of a “Brexit” on the legislative framework for privacy will probably not be hugely significant,” said Peter Galdies, Development Director at data governance, risk and compliance firm DQM GRC.

“After Article 50 is invoked which gives our official ‘notice’ to leave the EU (which now looks likely to be after October 2016), there will be a mandatory 2-year MINIMUM period in which we remain a member of the EU whilst we negotiate an exit,” he said. “During this time all existing legislation (including GDPR) will continue as before. Many forecast that this process might take much longer – with many estimates between 3 and 6 years.”

“The many organisations which already manage or contain personal data relating to EU/EEA state citizens (clients, prospects or employees) will continue to have to manage that data according to the requirements of the GDPR regardless of “Brexit”, or they will be in breach of the GDPR and risk large fines – so for many organisations nothing will change – the GDPR will apply even when we leave,” said Galdies.

“It is also highly likely that the UK (now with a strong new commissioner with a proven history of backing and enforcing consumer rights) will adopt a legislation directly modelled on the GDPR (as we will also need to do with the other legislations, such as worker’s rights and other similar good laws that protect the rights of the individual which will now need replacing),” said Galdies.

“The pressure to negotiate a strong trade deal with the EU will also drive the adoption of ‘mirroring’ legislation – designed to minimise the barriers to continued trade,” said Galdies. “Ultimately we must continue to ‘Keep Calm and Carry On.’”

What do you know about privacy? Try our quiz!