Are you into social media? Or maybe even more or less professionally dealing with it – for instance, publishing a newsletter, or otherwise managing a mailing list? Are you using Facebook or mailchimp? Dropbox or other cloud services?
If you are of an age below 35 or at least feel like it, an active social media user, working for a start-up or for other reasons into online marketing of your company or yourself: chances are high that these services are no strangers to you.
You may not have thought about it, but that means most probably you are transmitting data to the United States. Personal data of yourself or of customers. And that means – you really want to follow what’s happening with EU-US agreements on data protection. Most importantly right now: the “EU US Privacy Shield”, which just entered into force on 1 August. An example where EU politics meets real life, and where public affairs work is to your personal benefit.
So, what is this about, should you be worried, and what does it mean for your online behavior?
The EU US Privacy Shield – what it’s about
In 2011, the Austrian Max Schrems, back then a law student, began his battle against Facebook over storing his data in the United States – thereby allowing in particular the NSA to access his data. After an initial procedure in Ireland, he managed to initiate a broader law suit – a class action law suit, in fact – in 2014. In the wake of the revelations by Edward Snowden concerning NSA surveillance of personal EU data, this law suit led to a remarkable decision of the European Court of Justice in 2015: the existing EU-US data protection agreement (called “Safe Harbor”) was ruled insufficient for the protection of EU data stored in the US.
Abolishing the “Safe Harbor” agreement meant severe problems for any kind of transatlantic business between companies. In a nutshell: exporting data to the United States without a proper agreement with your customers put you under threat of paying fines up to 50 000 Euro. An enormous sum for small businesses. The way out was to conclude certain standard clause contracts with each of your customers, or ensuring that data would not leave the EU.
For many businesses simply too much to handle – not only the bureaucracy, but more importantly, the uncertainty. So a new agreement was negotiated, which is now called the “EU-US Privacy Shield”.
Problem solved? Well, partially, and for now.
What the EU-US Privacy Shield does and doesn’t
There are a few things the new agreement promises.
You can complain directly to a US partner or to a Data protection authority in the EU, and you will receive at least receive a mandatory response. You can even go to a US court as EU individual. And before it comes to a court case, a process has been put in place that is followed in order to resolve the complaint. Your US partners as well as yourself are obliged to inform about their and your privacy policy. Most importantly for those fearing NSA interests in their personal data, bulk collection of data will be limited to “specific preconditions” – whatever that means.
In short: the idea is that US and EU data protection is on eye-level. Many are relieved for the moment. As a business, you can export your data to the US again. As a user of social media, you have a certain way to access the personal data you provided, and to protest if they are not handled according to EU data protection law.
There’s a catch.
The agreement has not really tackled some of the most important issues – for instance, the question of bulk data collection has been left up to interpretation. Other aspects are also vague – and unlikely to stand trial before the European Court of Justice.
And therefore, the agreement is likely to be challenged in court again – and since the complaints have mediocrely been taken care of, it may well be overthrown again.
Monitoring EU-US data protection: your very own responsibility
You thought regulation is none of your personal worries? In this case, it should be. This is where your responsibility as a social media user starts, at the very latest.
What you can do:
- Follow what’s going on: easy to do, as the larger national newspapers report all changes. Perhaps not on the front page, but certainly prominently enough to come across it
- Monitor the European Commission’s data protection information. Admittedly not the easiest in terms of readability, but useful: http://ec.europa.eu/justice/data-protection/index_en.htm
- Check out the Privacy Shield’s brand new website: https://www.privacyshield.gov/welcome
- In particular, check whether the companies whose products you use, have signed up to the shield at all
- Have a good look at what you are doing with your collected data; possibly change what you collect, where you collect, and which companies you work with. Are you informing your newsletter recipients properly?
- Comply with new data protection decisions made in your jurisdiction. Some companies faced real issues in Germany, when the Hamburg data protection office fined them heavily for not complying quickly enough with the new situation after “Safe Harbor” was abolished.
- If you are unhappy with how this issue is handled, and it really affects you – start to lobby for a better solution.
By the way, the next big thing is just around the corner: in 2017, the European Commission will review its ePrivacy Directive – with new rules on how to process personal data.
And with this information, we square the Public Affairs circle: monitoring work is the first step in Public Affairs work – carving out your very own stakes in the matter, framing your interests in a convincing way, and communicating your message to the relevant policymakers is what Public Affairs professionals do next.
Still wondering even how to follow relevant developments or when to find the time? Get in touch with us, we can advise you, set up a monitoring process by which you can outsource to us, and ultimately support you in your Public Affairs work!
Sincerely yours
Irina Michalowitz
