For compliance people, one of the biggest challenges in recent years came when courts in the European Union ruled that the so-called “Safe Harbor” approach to ensuring data privacy for its citizens was no longer sufficient.
After lengthy negotiations, the European Commission and the U.S. Department of Commerce have agreed on a new structure for bridging the differences between EU protections and those provided within the US.
From a corporate perspective, the new arrangement comes with stronger obligations on US-based organizations to protect personal data of Europeans. But it’s no longer simply based on trusting companies to do the right thing. Instead the agreement specifies ongoing monitoring and enforcement activities by the Federal Trade Commission (FTC) and the Department of Commerce in the US in coordination with European officials. The measures specifically address the potential that has most worried Europeans, namely that government snoops in the US might scoop up data on individual Europeans without their knowledge or consent.
In response to those concerns, the U.S. government as agreed that any such action would be subject to very specific conditions, with limitations and oversight. Furthermore, an ombudsperson will field any concerns raised by Europeans with regard to the process and its effectiveness.
All of that sounds like a step forward. The demise of Safe Harbor has been very troubling for Life Sciences companies, especially those with substantial activities in both regions. With the blessings of the EU and the US, business should be able to go back to something that looks like “normal.” However, a closer reading of Privacy Shield, with its layers or protection and nuanced language leaves one with the suspicion that those who are wary of the adequacy of protections available on this side of the Atlantic, particularly regarding government data grabs, will likely be finding new ways to derail the process.
Indeed, key members of the European Parliament have already reportedly voiced opposition to the measure. It is also important to note that the agreement isn’t fully finalized, so for the moment, companies must continue workarounds under existing legal structures.
Beware of potential costs, associated with the measure, too. Unlike the past where companies could more or less “promise” to do the right thing, Privacy Shield demands actions and imposes considerable levels of government scrutiny, not to mention potentially significant fines for non-compliance.
That’s not intended as negativity. Progress is progress after all. But there will continue to be many issues to contend with. For now, at least, Life Sciences organizations have something they can work with…
Lisa Keilty, Global VP of Compliance and Strategic Solutions, AHM
Lisa joined AHM after serving as founder of the Compliance Consulting firm PMC2 and spending over 26 years in the life sciences and meeting management industry. Leading such organizations as Pfizer, Bristol Myers Squibb and Biogen Idec through numerous international projects, financial transparency and reporting requirements, Lisa’s industry expertise has saved Life Sciences and Meeting Management organizations over 30 million dollars. As a member of the Business Development team, Lisa’s primary focus will be Thought Leadership,Demand Generation and Solution Design.