If your U.S. company plans to bring health data from the European Union back to the states, you must address an additional privacy requirement laid out by the European Court of Justice. The EU-U.S. Privacy Shield, which replaced the previous Safe Harbour Framework, levies a stronger obligation on U.S. companies today. To comply, companies must either self-certify for the EU-U.S. Privacy Shield or obtain a third-party assessment. This self-certification or assessment confirms that your company meets the Privacy Shield Framework requirements that help protect the personal data of Europeans.
While everyone is gearing up for the General Data Protection Regulation (GDPR) that goes into effect for the European Union on May 25, 2018, one critical facet cannot be overlooked for customers who aspire to work internationally.
Q & A with Lori Meals
Datica Director of Compliance Lori Meals has been gathering more details on the Privacy Shield and readying Datica for its own self-certification. She recently sat down to answer questions on the topic that will be helpful to you as you think through the necessary steps in bringing private health data back to the states from abroad.
Why are the privacy protections more stringent in the European Union than the U.S.?
The EU has been more progressive around data privacy, and that’s especially true for Germany. During World War II, the fascist regime used personal information to target people for all sorts of atrocities. Therefore, Europeans are especially sensitive to this sort of personal data being shared.
Why was the Safe Harbour Framework invalidated and the EU-U.S. Privacy Shield enacted in its place?
All comes down to Edward Snowden. Remember him? He’s the former National Security Association (NSA) contractor who revealed that the intelligence agency had been spying on European citizen data held by American companies. That snowball quickly rolled downhill to Facebook. Austrian student Max Schrems filed subsequent lawsuits, alleging that Facebook had not been protecting personal data of Europeans, as extrapolated from the Snowden leaks. Those leaks showed that the NSA performed surveillance on technology companies, like Facebook. His complaints landed in the European Court of Justice whose governance quickly invalidated the Safe Harbour Framework and exacted a seismic shift upon international data privacy.
Is the Privacy Shield certification required for Datica?
No, it is not incumbent upon us, but it is for our customers, assuming they are expanding into Europe and/or using European citizen data. Without the Privacy Shield, a U.S. company is potentially liable when not adhering to these principles.
What must a customer know about Privacy Shield?
The Privacy Shield has a couple of important vocabulary words: data controller and data processor. Datica would be the “data processor” because we only work on behalf of those who are collecting the data. The Privacy Shield lays out the data protection principles that gives an individual the right to know that a company not only holds your data, but that the individual can request that such data be deleted, updated or changed, as well as requesting copies of it.
Is there anything else that a Datica customer needs to know?
Before expanding into Europe, U.S. companies must sign a Data Processing Agreement (DPA). The DPA signifies the agreement the parties’ have made with respect to terms governing personal data processing. Organizations will also need to contract with a 3rd party to handle complaints about how the organization handles data, should any arise.
How does this impact digital health companies long-term?
The rules and regulations have become more stringent upon U.S. companies involved with cross border data transfers. Abiding by the European requirements is imperative for staying out of hot legal waters.
Datica exists to help make digital health companies successful whether they work solely with U.S. citizen data or if they dip a toe into the commercial waters between countries. We live in a thriving, global digital economy today. When everyone follows the rules, we increase the chances of digital health success and decrease the chances of getting our hands and wallets slapped in court.