When the European Commission finally released the text of the EU-U.S Privacy Shield agreement reached in February, I dove into its lines like a surgeon. The European Court of Justice’s invalidation of the Safe Harbor last year left American companies and all onlookers in grave suspense, wondering if a resulting ban on the inflow of European personal data would maim business.
Set out to clearly define the delta in the new doctrine compared to the old, I’ve read through the agreement several times over. I camped on the wording of each privacy principle until the EU’s true pain points revealed themselves, and in doing so, I will tell you this: albeit American and European agencies have promised more details on the x’s and o’s of the agreement and the text is subject to change as it’s in the Article 29 Working Party’s queue now for final review, the Privacy Shield as it stands presents some serious and unfamiliar challenges to companies in the United States. The standards are broader, the EU is demanding actually verifiable commitment to the principles, and noncompliance will now warrant significant recourse. To those organizations that will ultimately have to grapple with this new framework, here’s a 4-pointed heads up you might want to take into consideration:
1. The Principles
For those organizations that are already acquainted with the Fair Information Practices, the presentation of the Privacy Shield’s first six principles shouldn’t be too staggering; however, it may be a different story for those that aren’t up to speed. The new framework requires the common precepts of Notice, Choice, Accountability of Onward Transfer, Security, Data Integrity and Purpose Limitation, and Access (Recourse, Enforcement and Liability is mentioned later). Without descending into Privacy 101, I will simply say that designing and implementing the controls necessary to satisfy these principles could very likely be an agonizing exercise in user transparency and empowerment, granular data management, information safeguarding, and third party vetting and regulation. Furthermore, the reality is that a company’s privacy framework needs to be extremely tailored to suit its processes and technologies, so finding some sort of cookie-cutter solution when aiming for readiness and compliance is just not in the cards.
2. The Stipulations
Like most documents of its ilk, the Privacy Shield agreement is complex. Specific types of personal information and purposes of use are not subject to some or all of the privacy principles. Personal information of a sensitive nature (as defined in the text) requires additional consideration and care. Users do not always merit choice when data is ingested or disclosed. Reasonable limitations may be set for user information access and modification requests. The list of situational terms goes on. For organizations trying to successfully interpret and navigate through the rigors of the new framework, it’ll be rather difficult to find sure footing without the resources or counsel to effectively marry your business profile with the Privacy Shield’s stipulations.
3. The Certification
The Safe Harbor’s certification process was not robust and certainly contributed to its eventual undoing. To really bind American companies to the refaced principles, the Privacy Shield definitely gave the new certification obligations some teeth. When an organization declares their compliance with the Privacy Shield, they must then verify that they are truly operating within its bounds. To do so, companies can choose to either a) conduct a self-assessment, which must be signed by a corporate officer, to outline and affirm (and hopefully prove) a control set is in place to satisfy the various requirements of the framework or b) seek attestations from outside firms for external validation. This must be done on an annual basis. Of all the domains in the Privacy Shield, although enhanced from what it was in the Safe Harbor, I see the proposed certification process catching the most scrutiny in the final stages of review. It would not surprise me one bit if the DPAs in the Article 29 Working Party order verification to only be carried out by third party assessors to ensure objectivity and thoroughness.
4. The Recourse
The agreement’s last principle, Recourse, Enforcement and Liability, offers a multi-platformed outlet for European data subjects to submit Privacy Shield-related complaints. The new text presents instructions on how organizations must resolve claimed violations submitted directly from individuals. Europeans will also be able to leverage their local DPAs to push the FTC on investigating complaints. In lieu, organizations will register an Alternative Dispute Resolution (ADR) system free of charge for another mode of independent recourse. If none of these methods deliver satisfaction, there will be a new Privacy Shield Panel that will take binding decisions against businesses. The long and short of it is, once the Privacy Shield is made official, American companies are going to have many masters and will have to cater to the distinct demands of each.
There’s a lot to chew on with the introduction of the Privacy Shield. Although sources have hinted that the text may receive the Working Party’s judgment or approval within the next few months, we’ll just have to play the waiting game to see how ultimately international business will be affected. Regardless, when the new agreement is finalized, it’s certainly clear that many American organizations will be forced to grow up; mature into businesses that can balance both enterprise and accountability.
About the Author
A manager with Schellman, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has BAs in Accounting & Information Systems and Marketing Management.More Content by Zach Schmitt