U.S. / EU Privacu Shield Logo
PHOTO: Shutterstock

Privacy Shield, a legal framework struck among the US, the EU and Switzerland, seemed to be a godsend to companies seeking a way to comply with data protection requirements when transferring personal data to and from those locations. It went into effect in July 2016, replacing a European Union regulation called Safe Harbor.

Two years later it has proven to be more of a nightmare for companies at least to the 3,000 to 4,000 or so US firms that self-certified their compliance to some parts of the General Data Protection Regulation using Privacy Shield.

Unfortunately, the agreement has been fraught with disagreements among the partners. Frustrations finally came to a head when the European Commission (EC) set a Sept. 1, 2018 deadline for the US to meet its obligations under Privacy Shield. If the US didn’t comply the EC threatened to suspend the measure. Now that Sept. 1 has come and gone, the silence from the Europeans has been deafening. Meanwhile, observers are filling the void with three theories about what might happen:

1) The EC will stay silent now that the US has called its bluff. It will be business as usual.

2) The EC will respond in the coming weeks. Bureaucracy is always slow especially when decisions must be made.

3) The EC will kick the can to the end of October when the second annual review of Privacy Shield is expected. Privacy Shield may be canceled then.

The US companies that signed up for Privacy Shield as their partial response to General Data Protection Regulation (GDPR) need to make plans now. Should they ride it out and wait to see how developments unfold only to have to scramble if it is suspended? Or should they take steps to shore up their positions now?

Related Article: Why the Privacy Shield Won't Make You GDPR-Compliant

Falls Short Of Actual Law

No one can say for certain what will happen of course, but a consensus is forming around theory No. 3, for many reasons, not the least of which is that Privacy Shield doesn’t have the same force of law that GDPR has. “The Privacy Shield is a framework that falls short of actual law,” Josh Mayfield, director of security strategy at Absolute, said. “It is a set of principles, guidelines and practices to help an organization stay out of hot water if/when an EU citizen’s personal information is misused.”

Its main limitation is that its authority extends only to data that originates in Europe and is transferred to US companies, Mayfield explained. Also, Privacy Shield was never meant to be an answer to GDPR it provides only partial protection to some elements of the law. “With the impending session and vote, I imagine that the EU will dispense with the Privacy Shield,” Mayfield said.

US companies using Privacy Shield, therefore, should begin implementing alternative data transfer mechanisms, such as standard contractual clauses or binding corporate rules in anticipation of it being suspended or replaced, advised Amber Welch, Privacy Technical Leader of Schellman & Co.

Waiting for a favorable ruling on Privacy Shield one that might never come may keep some US companies from accepting that data privacy is a serious issue, said Salvatore Stolfo, Columbia University professor, researcher and founder and CTO at Allure Security. Regardless of how the Privacy Shield issue is resolved, US companies need to understand they must comply with GDPR, he said. Beyond that, data privacy reforms are coming to the US one way or another whether it’s through state legislation like the new laws in New York and California, or calls for a data privacy framework at the national level, Stolfo said. “There’s a very real risk that businesses will simply opt out of taking 'reasonable and appropriate measures' and instead make room in their operating budgets for any fines associated with noncompliance and lost data,” he said. “I call this the 'ostrich strategy,' and it’s quite dangerous.”

Related Article: Staring Down the Intersection of ePrivacy, GDPR and Privacy Shield

Not Over Yet

Not everyone has given up on Privacy Shield yet. Zachary Paruch, product manager and legal analyst at Termly, said that abandoning Privacy Shield isn’t a practical solution for the US or the EU as there is nothing to be gained from prematurely ending it. “Regardless, US companies should make efforts to improve their privacy practices,” he said. “Many businesses are under the impression that better privacy practices means sacrificing revenue.” That is not necessarily so, in fact, strong privacy practices can lower regulatory and litigation risks and improve public perception of a company, he said.