As the self imposed (by the E.U.) deadline (for coming up with a replacement for Safe harbor) of January 31st looms near, we don’t really know what is going to happen. My guess is not much, but stay tuned.
The background is that when the European Court Of Justice struck down Safe Harbor last year, Working Party 29, the group responsible for cleaning up the mess in the aftermath of the ruling, created a deadline of January 31 of this year for a new agreement to be in place or else. Or else what? Not really clear. What could happen is ALL that data transfer which was done under the old Safe Harbor agreement stops. I don’t believe that will happen.
There are a lot of negotiations happening behind the scenes.
One critical piece, a U.S. law that gives E.U. residents the right to sue for redress in U.S. court for privacy violations – a right that they do not have today and a right which the E.U. said was critical to not shutting down data transfer, passed a vote in a Senate committee. Typically, there is a long and winding path between a committee vote and the President signing a bill into law, but still, this is a move in the right direction. Do I think this will get signed by January 31? No.
On the other side of the coin is the data sharing provisions (what used to be called CISA) in the recent budget bill. Since the Senate took out many of the privacy provisions, some say that even if an agreement is signed, the ECJ might say that CISA is a huge hole in E.U. citizens’ privacy rights since the law says that you can’t sue companies if they share your private data with the NSA. Oh, wait, companies share it with Homeland Security. Who is free to share it with NSA, FBI, DoJ and a whole raft of three letter agencies.
The E.U. has basically approved the new data protection agreement for Europe called the General Data Protection Regulation or GDPR. It is actually much stricter in terms of provisions than the old law.
I think February could be very interesting.