It seems that finally begins to see the light at the end of the tunnel.
The European Commission has published an information note on progress in negotiations with the United States regarding the Safe Harbor framework, confirming that it has reached an agreement to work on a new framework to flows of personal data between European companies and US: US-EU Privacy Shield.
Does this mean that now we can continue freely using MailChimp, Dropbox, Google, etc?
The answer is unequivocal: No.
What it means is that they are taking steps to solve the problem, but rather late, because the time allowed by the European authorities for data protection expired last January 29, and all companies affected by this issue should already He has solved its international transfers from one of these ways:
Migrate to treatment of personal data located in Europe.
Obtain the consent of those affected to keep the processing of data in the US.
Obtain authorization from their national data protection authority (AEPD in Spain); however, it is striking that, on the date of publication of this article, the AEPD has not published a single resolution authorizing international transfers on their website, when the pace of approvals until Puerto Seguro was canceled was about 10 per month (we know if there have been authorizations which have not been published).
Or, to flows of personal data within groups of multinational companies, recording a Binding Corporate Rules (BCR for its acronym in English) before some of the European authorities on data protection (although, to date, the AEPD has never done this procedure).
So what are the next steps?
At the moment, one can only wait for the solution of this problem is accelerated and the next steps are followed:
The European Commission must prepare a draft decision Privacy Shield, a framework which, if all goes well, will become the “heir” of Safe Harbor.
This draft will be examined by the European data protection authorities before being approved.
With the OK of the data protection authorities, and once approved the decision of the Commission, presumably that US companies wishing to join the Privacy Shield, shall carry out the formalities to collect the new framework. In addition, it is expected that these procedures are not as static as in the case of Safe Harbor, but to be made updates and more frequent revisions, which, although it seems positive, could also lead to legal uncertainty when hiring these services under cover in this framework.
From the moment the compliance with these procedures is certified by US companies that decide to join the Privacy Shield, the use of the services of such companies for the processing of personal data by European companies will not require authorization from the Director the AEPD.
And while we do?
While not cover these 4 steps, hiring data processing services in the US, you must continue contemplating one of the solutions listed at the beginning of the article.
And, considering the complexity of some of these solutions, wherever feasible, it seems that it would be best to wait.
Otherwise, it is possible that “reach the goal at the same time, but with many more efforts.”
And if it should not be solved in the short to medium term?
We know if US offerings are considered sufficient by European data protection authorities; however, the AEPD has published a note about it, which again insists, somewhat enigmatic, they should look for “sustainable solutions”.
Perhaps this is an indication that the agreement reached by the European Commission is insufficient to the authorities of data protection, or even being sufficient, the use of this new framework will not give much comfort to European companies as in the case of Puerto Insurance.
If it should not be solved in the short to medium term, we should also continue choosing between one of the 4 solutions indicated at the beginning of the article.
However, it should be noted that the European Regulation on Data Protection will be approved this year, and, according to the draft, it is expected to expand its scope to companies located outside the European Union that deal with data residing in EU the provision of certain services.
This raises the next question we posed for reflection:
Can an American company, subject to compliance with the future General Data Protection Regulation, be considered an “unsafe” destination for the purpose of data protection that requires authorization from the national authority?
In short, it is good news for European companies, but is long overdue, and will catch most European companies with the foot changed, since they all should have solved the problem before 29 January.
However, it can be a departure for new hires treatment services data they want done in the short or medium term with companies located in the United States, but in view of what was experienced in recent months, may not be the best choice .
Loreto Jiménez Muñoz
José Carlos Moratilla
AUDEA Information Security, S.L.