Back to blog

EU Data Protection and the Privacy Shield

Apr 15, 2016 by Catherine McArthur

If you operate in the cloud, or perhaps provide a cloud-based product like us, and need to work with or in Europe, you’ll know that data protection is of constant and fundamental importance to the way you do business. There are strict laws governing how data is collected, processed and stored, as well as where this takes place. As many cloud service providers are not located in the same country as the individuals provisioning them, it is necessary to have a framework in place to ensure that data remains protected and any transatlantic movements are carefully regulated.
Previously, personal data was protected under the EU-US Safe Harbor framework, which was put in place by the European Commission and the U.S Department of Commerce in 2000.

This established a set of regulations for EU-US data transfer, and enabled companies to self-certify themselves as compliant with the framework, allowing them to export personal data from the EU and store it by these companies in the US. In October last year, the European Court of Justice declared that Safe Harbor did not provide adequate legal protection for personal data. The framework became invalid, provoking concerns and questions for organisations that relied on it in order to transfer data between the EU and US.

Take the next step towards advanced SaaS management with our Office 365 management software.

Since the decision was made, the European Commission and the United States have made a united effort to formulate an alternative framework that sufficiently protects EU-US data transfers. In the meantime, data transfers to the US are not prohibited, but organisations are required to comply with EU data protection laws through other methods. The European Commission released a press release in February announcing that an agreement had been made for transatlantic data flows – the EU-US Privacy Shield. The Privacy Shield claims to offer a more comprehensive level of protection, with ‘clear safeguards’ and more ‘robust enforcement’.

There is still a level of self-certification in the process, but it also requires that American companies apply and register to be on the Privacy Shield list. Each company will need to repeat the registration annually, and the US Department of Commerce will take a more active role in monitoring this list to verify that every listed organisation’s privacy policies are in line with the regulations. Since February, the necessary preparations for the new framework have been underway, and its suitability is being evaluated by each data protection authority involved.

Yesterday, the European data regulators rejected the Privacy Shield based on the grounds that they have ‘strong concerns’ about both the ‘commercial aspects, and the access by public authorities to data transferred under the Privacy Shield’. The Working Party claims that there is an ‘overall lack of clarity’ in the adequacy decision which the two entities put forward, as well as inconsistencies with the original EU Data Protection Directive 95/46/EC created in 1995. Their final statement is one that ‘urges the Commission to resolve these concerns and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU’.

The Privacy Shield is an ongoing debate, with various voices advocating or criticising its capabilities. Earlier this week, Microsoft described the framework as a ‘step in the right direction’ and ‘after detailed review’ asserted that they believe it should be approved. Despite their support of the Privacy Shield as a ‘strong foundation’, they also voiced the need for additional steps ‘to build upon the Privacy Shield after it is adopted’ with further legislation.

So what does this mean for data protection now, and in the future?

It is extremely important that the ultimate output of this process provides a framework that appropriately safeguards transatlantic data transmission. However it is also essential that the framework is something businesses can comply with, particular in the technology sector where huge volumes of data are processed everyday. The ever-increasing globalisation of business and commerce, largely facilitated by technology, means that communications, transactions and exchanges are able to take place unimpeded by borders.

There is a legitimate question of whether a Directive from 1995 can possibly be appropriate in governing the data movements that technology in 2016 makes possible. Much of the technology and business operations that are commonplace today – especially where the cloud is concerned – are made possible by technology that simply didn’t exist when the Directive was put in place. Let’s not forget, many technology giants today did not exist when this Directive was created; Google was founded 1998, Facebook was founded in 2004, and cutting edge mobile phone technology looked like this:


No doubt this is a factor for the US Department of Commerce, the Working Party and the European Commission when trying to find a way to apply a set of regulations that simply don’t work today without considerable burdens for businesses. Particularly when these restrictions could actually prevent European citizens and businesses from having access to services that could benefit them. But then on the other hand, when someone’s personal information becomes just a number amongst billions just like it, it’s easy to forget what is represents – that it is attached to an individual, is private, and deserves protection.

In this modern, data-driven context, we must not forget that the right to privacy is a basic and fundamental human right. As such, it should be upheld and protected by appropriate frameworks, no matter what form they take. This creates a difficult balance for those trying to implement the Directive, and it will be interesting to see whether they are able to find the much needed solution that thousands of businesses are depending on.

As an organisation who transfers and stores personal data in both Europe and the US, we welcome any changes to data protection that serve to protect our customers, and hope to see real strides made in implementing the framework for transatlantic data transfers. Currently, we are pleased to offer two data storage options, both of which comply with with EU Data Protection requirements, to give our customers a choice with the knowledge that whatever their preference, their data is protected. More details on this can be found on the EU Data Protection FAQs section of our website.