To anyone familiar with doing business in Europe, it really is no surprise that representatives from supervisory authorities of each European Union (EU) country, the European Data Protection Supervisor (EDPS) and the European Commission — Referred to as the Article 29 Working Party (WP29) — rejected the EU/US Privacy Shield data transfer agreement.
Europeans believe personal privacy is a fundamental right of all people, similar to the way people in the United States believe in freedom of speech.
Though no revisions are imminent for the EU/US Privacy Shield, the rejection should signal to companies they must re-think privacy. Across industries ranging from banking and financial services to retail and e-commerce, competitive advantage and market share will be won and lost depending on an organization’s ability to exhibit how they protect customer data, as well as partner, employee and corporate information.
The Privacy Shield agreement is a framework designed to “protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” Though WP29’s word is not law, its views often set precedents upon which data regulators in each European country base their laws.
WP29’s official statement cites “an overall lack of clarity regarding the new framework as well as making accessibility for data subjects, organizations, and data protection authorities more difficult” as the overarching reasons for its rejection of the agreement in its current form.
Given every European citizen “has the right to respect for his private and family life, his home and his correspondence,” without interference from a public authority, it is no wonder WP29 requests more clarity before sending its citizens’ data freely across the Atlantic.
The companies that lead the way in data privacy standards will also develop a competitive advantage and win market share.
Not after the National Security Agency (NSA) and Central Intelligence Agency (CIA) were found to be in cahoots with Germany’s spy networks. Not after document leaks revealed PRISM, the surveillance program under which the NSA collected customer information from nine different U.S. telecoms companies. Not after the Federal Bureau of Investigation’s (FBI) kerfuffle with Apple over an unlocked iPhone.
Show me the… specifics
The WP29 stated that its major concern with the Privacy Shield is that the U.S. would not hold European citizens’ data to the same privacy standards as it is held to with current European laws. Specifically, WP29’s assessment calls for increased clarity about “massive and indiscriminate collection of personal data originating from the EU,” even in light of counterterrorism efforts.
To consider accepting a revised Privacy Shield agreement, WP29 asks that the commission add a glossary of terms to the agreement’s appendix to define and bring more clarity to the use of important notions, such as commercial data retention and citizens’ rights to reject automated data processing.
Change is around the corner; companies must address it now
In order to develop and pass a data transfer agreement, the U.S. will have to take Europe’s concerns much more seriously than they have up to this point. The recent spate of privacy issues, headlined most recently by the Privacy Shield rejection, is likely to awaken in U.S. consumers and organizations a deeper reverence for data privacy.
Already Microsoft has sued the U.S. Department of Justice (DOJ) over requests for customer information; a lawsuit alleges Vizio collects and shares its customers’ TV-viewing information; even don’t-be-evil Google has been sued over its reading of students’ emails.
While companies may not have to comply just yet to additional regulatory stringency, they must begin to weigh how to protect data across their corporate infrastructures. Those that adopt more robust privacy practices will have an advantage over competitors who fail to see the Privacy Shield rejection for the harbinger of changes it is.
As companies consider a path forward, it becomes increasingly important they perform their due diligence with regard to data-management tools and policies. Box, for instance, recently introduced Box Zones, a cloud-based storage solution that honors country sovereignty. All firms will eventually need to demonstrate that they are proactively addressing data privacy.
The companies that lead the way in data privacy standards will also develop a competitive advantage and win market share. To pave the data privacy road, companies need to include privacy features and benefits built into their products and corporate infrastructure. They must demonstrate that they protect corporate, partner, employee and customer data and clearly and publicly define the specifics of their privacy initiatives.
We are in the age of information, the age of transparency. Companies must heed privacy concerns, or risk falling out of step with regulatory compliance guidelines and falling out of favor with customers.