From Safe Harbour to Privacy Shield: what is happening to our data?

From the very beginning at LINK Mobility we have always ensured that all our servers and data centres are based in Spain, under Spanish law, so that we can more effectively protect every single one of our clients’ communications.

In spite of the fact that we are immersed in a world that is ever more globalized, our attitude and focus on the security of data in Spanish territory provides a genuine guarantee. To understand this you need look no further than the complicated situation that has arisen with regard to the protection protocols for transatlantic data flows.

The cross border data transfer sector experienced a profound shake up when, in October 2015, the Safe Harbour agreement was declared invalid because it did not guarantee an adequate level of protection to the personal data transferred from the European Union to North American companies. The situation was serious, affecting more than 4000 businesses: from SMEs to giants such as Facebook, Yahoo, Twitter, MailChimp, Apple, Microsoft and Amazon, with enormous levels of data management.

Since then, the USA and the European Commission have been in negotiations to come up with a new protocol setting forth stricter obligations and stronger oversight of American companies to ensure the security of the European citizens’ personal data. This protocol is known as Privacy Shield, a renewed framework which includes safeguards that are equivalent to the European Union’s data protection rules.

Both parties already reached a political agreement last February, the key points of which are as follows:

1. More and stricter obligations for companies, which may involve penalties or exclusion from the agreement if they are not fulfilled.
2. Control and transparency in access to information by the US government. This means that US intelligence services cannot gain indiscriminate access to personal data. Access will only be gained if it is essential, subject to certain limitations and all kinds of safeguards.
3. Protection of the EU citizens’ rights through several possibilities of redress. EU citizens may file their complaints to the companies themselves, which have to resolve them within 45 days. They can also approach national data protection authorities who will work jointly with the Federal Trade Commission to investigate and resolve them.
   Furthermore, there will be an Ombudsperson, who will hold responsibility for handling and processing complaints.
4. Annual joint review: Privacy Shield will be a live mechanism that will be periodically reviewed by both parties. The European Commission and the United States Department of Commerce will review the mechanism on an annual basis to monitor the agreement’s development and scope to ensure that it works as foreseen.

However, after including additional clarifications on mass data gathering, strengthening the Ombudsperson mechanism and setting forth certain more explicit obligations for companies regarding limitations on keeping and subsequently transmitting data when the protocol comes into force, it has not been reviewed to date. Thus, Privacy Shield will enter into effect in the EU as from July 2016 and in the USA as from August 2016.

Once it is definitively approved, we will have to see where this new framework is lacking. Though it is an improvement on Safe Harbour, its predecessor, it has not fully managed to convince experts in security.

We will keep a very close eye on its development, but we insist that there are no problems with LINK Mobility thanks to our strategic decision to keep all secure information in Spanish territory.