Privacy Shield: Where are we now?
For 15 years, businesses transferred the personal information of European Union citizens to the U.S. for storage and processing. But when Safe Harbor was ruled invalid by the EU in October 2015, the approximately 4,400 companies that operated under Safe Harbor found themselves at risk of losing business if government authorities did not reach a new agreement.
"The annulment of the previous Safe Harbor agreement created legal uncertainty and confusion," said Christoph Luykx, director of global government relations in the EU at CA Technologies. "We had seen increased uncertainty around the ability to move data internationally, which created the risk of a fragmented approach in Europe towards international data flows."
Last February, officials from the European Commission and the United States agreed to form a new pact for exchanging data. After some back and forth, the new Privacy Shield program was officially unveiled in July 2016. In August, organizations wanting to participate in the program begun submitting their applications and documentation.
After Safe Harbor was annulled, "we had seen increased uncertainty around the ability to move data internationally, which created the risk of a fragmented approach in Europe towards international data flows."
Director of global government relations in the EU at CA Technologies
The new Privacy Shield mandates U.S. companies offer stronger protection for Europeans' personal data. It also requires the U.S. Department of Commerce and the Federal Trade Commission, in cooperation with European Data Protection Authorities, to monitor and enforce data privacy violations.
It has been more than a year since an initial agreement was reached, and now companies are working to fall in line with the regulation. So, how is the tech industry faring with the agreement?
Where are we now?
In the seven months since the Privacy Shield program was adopted by the U.S. and EU, and administered by the Department of Commerce, nearly 1,500 organizations have signed on to the program. These include both U.S.-based companies and European companies that want or need to transfer data on individuals to the U.S.
"Trust in the protection of personal data when transferred between countries and continents is crucial for EU/U.S. commerce, and fulfilling the agreed upon requirements in the Privacy Shield are necessary to foster that trust," said Eduard Goodman, chief privacy officer at CyberScout. "Without it, as was the case for the nearly eight-month gap between the dead Safe Harbor program and the new Privacy Shield program, legal and regulatory uncertainty would dominate and cause numerous problems for trans-border business and trade."
But what does Privacy Shield mean to the average U.S. CIO? Today, a big part of many CIOs' work, irrespective of where he or she is based, is to enable the organization to move data around the world in a rapid and secure manner to help build trust and deliver innovative services to customers. Such data flows allow businesses to be competitive on a global scale, according to Luykx.
"The EU/U.S. Privacy Shield can help a CIO achieve those objectives," Luykx said. "Adherence to the Shield can demonstrate to customers that the organization is putting in place various mechanisms to protect data."
Also, the Privacy Shield impacts the CIO of any trans-national enterprise.
Without the Privacy Shield, "legal and regulatory uncertainty would dominate and cause numerous problems for trans-border business and trade."
Chief privacy officer at CyberScout
"Every CIO should be aware of Privacy Shield as it does allow them to get more creative with system and data redundancies and systems within global operations that encompass the U.S. and EU," said Goodman. "Proper use of Privacy Shield to structure IT infrastructure in any international business can be worthwhile in and of itself as it can also potentially save operational expenses and IT budget expenses."
In other words, for organizations that wish to exchange personal data between the EU and U.S. regarding its European customers, clients, or employees, the Privacy Shield is an important and necessary consideration.
And, while the organization’s legal or general counsel, chief privacy officer, head of compliance, etc. may be the individuals or departments responsible for instituting participation in Privacy Shield, "it is the CIO and those that report to the CIO that will often be the ones who both have to operationalize and deal with the system ramifications," said Goodman.
As companies evaluate and update their policies to meet the requirements of the Privacy Shield, CIOs need to work hand in hand to ensure IT systems are configured to support any updated policies, Luykx said. This is important for self-certification. CIOs also need to continuously monitor the developments in privacy agreements and implement the necessary process and technology tools to remain ahead of the game.
Could the Privacy Shield be voided by executive orders?
Part of the approval process for Privacy Shield on the European side had been the commitments made by the U.S. administration. When President Donald Trump signed his immigration-related Executive Order in late January, it sparked some concerns that Privacy Shield could be voided. But FTC Commissioner Julie Brill says the executive order does not affect Privacy Shield.
In a recent blog, Brill notes that the executive order actually refers to the federal Privacy Act, "which does not impact any U.S. commitments under the Privacy Shield agreement."
"If the European Parliament or the courts determine that any U.S. orders or regulations may place that data at risk, it’s dead."
Chief privacy officer at CyberScout
That's not to say that Privacy Shield could never be canceled, however. U.S. executive orders — or any other legislative action that may impact privacy, data collection, or other tangential areas — could always potentially cause the EU to pull the plug on the program.
"Remember that this is a program that exists simply due to European requirements around the treatment of data," said Goodman. "If the European Parliament or the courts determine that any U.S. orders or regulations may place that data at risk, it's dead. This is not a legal treaty that is binding in international law. At best, one could look at it as a Gentleman’s agreement, one that could last another 15 years (as long as Safe Harbor) or could be killed due to some perceived conflict by the Europeans."
Luykx notes that during the first annual review between the EU and U.S., potentially in September, both sides will take stock of the commitments made and the implementation.
"Of course, at any time, both sides can suspend the agreement should they deem the conditions are no longer met," said Luykx.
Goodman suggests CIOs use Privacy Shield for all it's worth today, but don't necessarily count on it being around forever. "Take advantage of everything that Privacy Shield provides, but never become dependent on it operationally or otherwise."