The European Union, through the European Court of Justice, has been trying to stick a rod into the gears of internet information flow for years. The E.U. was temporarily mollified in 2000, when it agreed to a Safe Harbor agreement with the U.S. The pact purportedly assured that the data of European (including Swiss) citizens was sufficiently protected from marketers, government agencies and other parties hungry for information that could be put to any number of nefarious purposes.
Subsequent consumer complaints, especially related to the practices of Facebook, caused the E.U. to take a tougher stance. Last October, it jettisoned the Safe Harbor agreement and replaced it with the EU-US Privacy Shield. The new framework is intended to ensure that European citizens’ data is “fully protected,” according to Andrus Ansip, vice president of the European Commission.
“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies,” Commissioner Vēra Jourová said in a statement. “For the first time ever, the United States has given the E.U. binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”
Despite the presence of the older agreement, “there was a general feeling that the U.S. government pried too much into data, had too much access, and that data was not protected,” says Hannah Kain, president and chief executive officer of supply-chain services provider Alom.
Now, U.S. companies or agencies desiring to capture personal data from Europe will be held to “robust obligations” regarding how the data is used, according to the European Commission. Companies must respond to individual complaints within 45 days, and European data-protection authorities can take any unresolved issues to the U.S. Department of Commerce and Federal Trade Commission.
The Privacy Shield emerged from intense negotiation between U.S. and E.U. authorities, but in the end, the Americans had little choice but to accede. “The feeling was that it’s better to have legislation or rules that business can adhere to, than not be able to do it at all,” Kain says.
The impact on U.S. business will be substantial, she says. Any exchange of applicable information must be done in accordance with the strict protections of the law. What’s more, the transfer of information promises to have a “snowball effect” throughout the various stages of the supply chain. Each individual touching that data must comply, and the effort won’t be cheap. Kain says a company previously paying under $5,000 per year in compliance costs could easily see that number increase by a factor of ten.
Side questions will arise as well. For example, does the courier service handling relevant products have to comply with the law? What about the U.S. Postal Service? “It raises a lot of legal issues,” says Kain.
Nevertheless, she hopes the new regime will hold up in the courts, given the prospects for extreme uncertainty should it be invalidated. “The alternative is going through another period of the Wild West,” she says, “where it’s illegal for U.S. companies to hold data pertaining to Europe.”
All affected companies will have to get on board, with a combination of standard language and certain practices that are tailored for each entity. A 60-day grace period began August 1 for those operating under the Safe Harbor regime to seek temporary approval under the Privacy Shield. Then they’ll have nine more months to be in total compliance.
The effort will range well beyond the walls of each company, which will have to request compliance by Tier 1 and 2 suppliers. Smaller vendors might find themselves unable to afford the cost, and be expelled from the supply chain.
Businesses will need to rewrite their privacy policies, train all individuals with access to data, and keep detailed records. The requirement extends to U.S. companies that don’t directly do business in Europe, but are working with subcontractors that need to be certified.
Even call-center workers will need to be brought into the program. “Say a telemarketing company is managing the call center, transmitting data that sits on certain servers,” says Kain. “Then it goes to a company that does analytics, then a fulfillment house – all of a sudden, lots of people are touching customer data in a normal, simple operation.” Others impacted by the law include those who access data to conduct demand planning, forecasting and marketing campaigns. They’ll need to set up procedures to make data “blind” – even if the precise definition of that term is unclear.
Can’t manage the effort? Then prepare to be banned from doing business in the E.U. The only alternative is to get compliant with the Privacy Shield, and that means starting now. Stresses Kain: “Companies that have not begun looking [at compliance] need to get going on this very fast, whether they were under the Safe Harbor or not.”