The privacy community was abuzz this past week, as the new Privacy Shield Framework opened for business. On August 1, companies could begin self-certifying under this new program, which replaced the 15-year-old EU Safe Harbor Framework governing transfer of personal data between the EU and U.S.
We’re only a few days into the new program, but several companies have already certified and many others have begun the process, although the U.S. Department of Commerce has yet to list any certified companies. Through corporate blog posts, however, we have learned that two of the first applications came from Microsoft and Workday, which moved quickly to submit their Privacy Shield certifications. In the coming weeks, we will see more and more companies submitting for self-certification as they review not only their internal policies but also those of their vendors and partners.
For the unfamiliar, the concept behind the invalid Safe Harbor, and the new Privacy Shield, is to ensure “adequate” treatment of EU citizen data when transferred to the U.S. The concern is that there are disparate levels of data protection between the EU and U.S., and thus once the EU data is in the U.S., it would not be entitled to the safeguards offered by EU data protection law. These frameworks were designed to ensure that if the data travels to the US, it is sheltered within a governance mechanism that provides equivalent protections.
Safe Harbor endured criticism but, all things considered, functioned well in its time. The evolution of Internet technology, the explosion of personal data created in social media and other sites and stored on servers in non-EU geographies, and in particular the revelations surrounding U.S. government surveillance techniques escalated the pressure on Safe Harbor, leading the European Court of Justice to ultimately make the protocol invalid in the fall of 2015.
Since then, the U.S. Department of Commerce and the European Commission have collaborated to develop a new mechanism for companies on both sides of the Atlantic with a means to comply with the EU data protection requirements when transferring personal data from the EU to the U.S. The final result is the EU-US Privacy Shield.
Several key aspects of Privacy Shield are worth mentioning. In particular, Privacy Shield requires greater disclosures and opt out requirements than Safe Harbor did. Another key feature of Privacy Shield is that it requires companies provide EU citizens with easier access to data about them and that companies make it easier to make changes to the data. But perhaps the most important aspect of Privacy Shield is that data controllers are now accountable for the actions of third parties with whom they share data. Data controllers will now have to exercise effective oversight over the third parties to ensure they use the data only for limited and specified purposes.
One week in, however, there remain legitimate questions about the durability of the Privacy Shield framework. The future of the new data transfer framework may depend on how well it functions over the next year. On July 26, the Article 29 Working Party (WP29), the committee tasked with advising the EU on personal data protection, responded to the formal approval of Privacy Shield by reiterating a number of their misgivings but vowed to wait to raise objections until a review of the first year’s performance of the Shield. The WP29’s statement means European privacy regulators will be watching to see if U.S. companies live up to their Privacy Shield commitments. Further — although Europe’s privacy regulators may have collectively agreed to Privacy Shield, at least one data protection authority in Germany is signaling his intent to challenge the adequacy of the Privacy Shield even before the one year watch-and-see is up. These are pretty strong “uncertainty” signals – something businesses don’t like.
There is also the post-Brexit effect to consider. Although Britain is not expected to initiate the two-year exit process until 2017, at some point, Privacy Shield will not be able to serve as the basis for cross-border personal data flows out of this key European market. While this historic decision occurred just weeks before the Privacy Shield Framework was approved, which made it difficult for the program architects to draft an appropriate response, there should be a strategic imperative to address this elephant in the room and quell this additional uncertainty in the marketplace.
Using data ethically builds trust. If brands can build trust with the consumer around the use, protection, and stewardship of data, strong ethics becomes a strategy where all stakeholders – brand and consumer – benefit from the value created through the data exchange. As the privacy debate continues to unfold throughout the world, Privacy Shield underscores the concerted effort to strengthen consumer data protections and ensure brands and marketers are accountable with the personal data entrusted to them.