On June 12th, 2016, the EU-US Privacy Shield was approved by the Court of Justice for the European Commission (CJEU) and will be voted on by the Article 29 Working Party on July 25th for final approval. This is a big step in the approval process for the Safe Harbor replacement and will hopefully provide a simple and legal process for exporting data from the EU to the US.
The most notable change to the EU-US Privacy Shield is the inclusion of the CJEU language requirements that increased the level of protection that EU citizens had when it pertained to their personal data. The CJEU was lobbying for the increased measures after the Safe Harbor Agreement was overturned. Some of the other changes and differences between the EU-US Privacy Shield and Safe Harbor include:
- Organizational Commitments – Any US company wishing to import EU Citizen data must be willing to commit to several different obligations on how the data will be processed, used, distributed, etc. as well as assure the rights of the EU citizen that are guaranteed within the Privacy Shield.
- Enforcement – The Department of Commerce will be responsible for ensuring compliance to the Privacy Shield obligations. Failure to meet the Privacy Shield requirements will result in sanctions placed on the organization or will no longer have their EU-US data imports and exports recognized by the Privacy Shield.
- Effective Protection of EU Citizens’ Data – Unlike Safe Harbor, Privacy Shield has established several guidelines which both organizations as well as EU citizens may follow that will help ensure the proper usage and protection of EU citizen data. Privacy Shield also established a special ombudsman for any complaints tied to national intelligence agencies. The U.S. State Department has appointed Department of Commerce Under Secretary Catherine Novelli as the Privacy Shield Ombudsman and was appointed by Secretary of State John Kerry.
These changes along with several others are have a significant impact on the way data flows between the US and the EU. This data is vital to many economic, marketing, and service industries and organizations and can be a vital source of revenue for many corporations. To ensure that this data flow is not interrupted, US organizations have begun to make preparations regarding the requirements of the Privacy Shield and how to remain compliant to the regulation.
From a broad perspective, IT asset managers naturally fit into the role of Data Protection Officer (DPO) that is now a required position for organizations to fill. The reason why is that IT asset managers are specialized employees who monitor, track and maximize the usage of IT assets and the data, licenses, protected information, etc. for organizations at current. Since it is the flow of data between the US and the EU that is governed by the Privacy Shield it would make sense that IT asset managers would make it another facet of the organization that they monitor. In doing so, IT asset managers will become a key component for ensuring compliance and certification under the Privacy Shield obligations.
DPOs are also responsible for monitoring how EU citizen data is processed, monitoring EU citizen requests and ensuring maintained compliance with the Privacy Shield. There is also compliance and auditing requirements built into the Privacy Shield regulation. Again, IT asset managers are uniquely prepared to handle these responsibilities due to their software license management and software compliance audit experience. Understanding the contract language of various software titles and monitoring the software usage to ensure that it does not exceed the contractual terms and conditions is a practiced skill that directly translates to EU citizen data usage by an organization. The ability to successfully pass an audit and/or retain certifications is also a skill that will be necessary for a DPO.
Based on the skill set as well as functional needs, an IT asset manager is pre-qualified for a DPO position in any organization that will be utilizing EU citizen data. The data held on IT assets is already the responsibility of IT asset managers and processes have been created by IT asset managers to adhere to the contractual terms and conditions to ensure compliance during an audit. There are all actions that directly translate to the Privacy Shield Requirements.
It would be in the best interest of organizations around the world to consider IT asset managers as primary candidates for their internal DPO positions.
Engadget, Aaron Souppouris, 7/12/2016 – The EU-US Privacy Shield is up, but its future is in doubt
PCWorld, Peter Sayer, 7/12/2016 – Privacy Shield transatlantic data sharing agreement enters effect
Congressional Research Service, Martin Weiss & Kristin Archick, 5/19/2016 – U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield
Squire Patton Boggs, Ann LaFrance, 7/8/2016 – EU Member States Pave Way for Approval of EU-U.S. Privacy Shield