How to deal with the new Privacy Shield agreement

What does this Privacy Shield rollout look like, and what will it actually mean for data transfer and storage

privacy shield no results found
Peter Sayer/IDG News Service

Earlier this summer the European Commission and the US Department of Justice signed the much-anticipated EU-US Privacy Shield data pact agreement. As of Aug. 1, 2016, companies and other entities in the United States are able to register with the Commerce Department, self-certifying their compliance with the Privacy Shield’s principles.

Many companies are still deciding whether they will self-certify because they don't completely understand what the rollout will look like and the impact it will have on data transfer and storage.

Kendall Burman, a cybersecurity and data privacy counsel at Mayer Brown, offered some advice on the data transfer and storage issues companies need to be prepared for, including and extending beyond Privacy Shield. Hopefully these insights will help you to determine what is the best course of action for your enterprise in light of this new agreement.

Depending on your company, you've either been anxiously awaiting this agreement and will eagerly self-certify or you've started thinking about whether you have data to transfer. If you're part of the latter group, you're likely asking whether Privacy Shield is a good fit for your business.

"That second category of companies is in the strategy phase," said Burman, "there are advantages in terms of ease and use of it. It can be much easier to be certified to the Privacy Shield than having to look at each contract."

Still many remain anxious about the uncertainty and are reluctant to move too quickly. "Article 29 gave some comfort as it provides a moratorium for one year as details get worked out, to see how the principles apply and how companies deal with the new agreement," said Burman.

There are, said Burman, principals of the Privacy Shield that are worth specific attention as they are different or increased Safe Harbor provisions.

For companies to transfer data, whether certified or not, they need to ensure data is protected according to those Safe Harbor principles. "That third party, even if not certified, will be required by contract to protect data with the same level of security set forth with Privacy Shield, which is one reason it may be beneficial to certify," said Burman.

[ MORE ON CSO: Privacy Shield needs improvement, says EU privacy watchdog ]

Because different companies have different business models, there is no one right course of action. Burman said if a particular business has very few sources of personal data that they are receiving, and they can uphold the EU through their practices, that’s a workable option.

"The concern that has been pervasive is whether whatever replaces Safe Harbor would endure. There’s no doubt that there will be legal challenges to Privacy Shield," Burman said. For those enterprises that have alternative workable options, you might be able to continue on as usual while those legal challenges get resolved.

Another issue of concern with choosing to self-certify is around data integrity and purpose limitation. Burman said, "It has been revised from Safe Harbor requirements so that organizations will no longer be able to process personal information in a way that is incompatible with the new provisions."

This means that if companies have relied on a privacy policy in which the purpose of their data collection was specific or narrow, these new requirements around data integrity could present problems in terms of revising or reinforcing.

"There are a lot of different enforcement mechanisms that are different from Safe Harbor. There are more layers. If there is a complaint, the company needs to respond. Data protection authorities is one recourse, but it could also be directed to the Federal Trade Commission," Burman said.

What's also worth considering is that even if you don’t receive complaints, there is a huge emphasis in Privacy Shield that a company is living up to its principles.

"Depending on how they address these issues, there may be more work for them to gear up. If you were an above the board member of Safe Harbor framework, and were vigorous in how you looked at these issues, you updated regularly, then enforcement and recourse will work," said Burman.

One critical goal of the new agreement is to ensure that the company is not just writing policies on how it ought to handle data but that they are actually living their commitment. Their data transfer and storage transactions should show that they are rigorous in protecting data.

Opting to self-certify is an empty effort if your business isn't living up to its promise.

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline