Brexit Concern as EU and U.S. Agree to Strengthen Privacy Shield

The United States and the European Union agree to modify their data transfer pact, but what now for the United Kingdom?

Brexit, U.S., EU, data protection

By Tom Jowitt

The United States and the European Union have agreed to changes to Safe Harbor 2.0 (or Privacy Shield), after an initial agreement was rejected by European Watchdogs for not being robust enough.

The two have agreed to stricter rules for companies holding information on Europeans and clearer limits on U.S. surveillance.

But the UK's shocking exit from the European Union has raised data protection concern for UK firms.

Revised Deal

The revised EU-U.S. Privacy Shield has been dispatched for review by European member states, according to Reuters.

A vote on the matter is reportedly expected in early July, and then the new agreement will become law.

All of this stems from the decision last October by Europe's top court to strike down the original data-sharing (Safe Habor) deal with the United States that had lasted 15 years. In February this year, the replacement agreement, now known as the Privacy Shield was agreed upon.

That proposed replacement was designed to help firms on both sides of the Atlantic to move the personal data of European citizens to the United States without breaking strict EU data-transfer rules. But it failed to get the blessing of European data protection watchdogs, and they demanded much tougher regulations surrounding U.S. surveillance practices.

In order to beef up the agreement, the U.S. government has explained the specific conditions under which intelligence services might have to collect data in bulk. They also detailed the safeguards on how the data would be used.

A letter from the Office of the Director of National Intelligence, seen by Reuters, gave an example of the United States seeking information on the activities of a terrorist group in the Middle East believed to be plotting attacks against Europe. If Washington does not have information, such as names, phone numbers or email addresses, it would collect communications "to and from that region for further review and analysis to identify those communications that relate to the group," the letter states.

"Thus, even when targeting through the use of specific selectors is not possible, the United States does not collect all communications from all communications facilities in the world," the letter reportedly said.

The United States has also pledged to create a new privacy official, who will be responsible to deal with complaints from EU citizens about U.S. spying. This official would reportedly be independent from the U.S. intelligence services.

UK Exit

The transfer of personal data from the United Kingdom to the United States was covered by the original Safe Harbor agreement, and then the revised Privacy Shield.

But following the shocking decision by British voters to exit the European Union, some businesses could be concerned about the way forward.

But at least one expert suggests firms should not panic, but just carry on.

"In my view, the long-term impact of a 'Brexit' on the legislative framework for privacy will probably not be hugely significant," said Peter Galdies, development director at data governance, risk and compliance firm DQM GRC.

"After Article 50 is invoked, which gives our official 'notice' to leave the EU [which now looks likely to be after October 2016], there will be a mandatory two-year minimum period in which we remain a member of the EU whilst we negotiate an exit," he said. "During this time, all existing legislation [including GDPR] will continue as before. Many forecast that this process might take much longer—with many estimates between three and six years."

"The many organizations which already manage or contain personal data relating to EU/EEA state citizens [clients, prospects or employees] will continue to have to manage that data according to the requirements of the GDPR regardless of 'Brexit,' or they will be in breach of the GDPR and risk large fines—so for many organizations nothing will change—the GDPR will apply even when we leave," said Galdies.

"It is also highly likely that the UK [now with a strong new commissioner with a proven history of backing and enforcing consumer rights] will adopt a legislation directly modeled on the GDPR [as we will also need to do with the other legislations, such as worker's rights and other similar good laws that protect the rights of the individual which will now need replacing]," said Galdies.

"The pressure to negotiate a strong trade deal with the EU will also drive the adoption of 'mirroring' legislation—designed to minimize the barriers to continued trade," said Galdies. "Ultimately, we must continue to 'Keep Calm and Carry On.'"