Three months after self-certification was opened up for the new EU-U.S. Privacy Shield framework, only a small number of companies that handle personal data of EU citizens have actually completed the process.
EU-U.S. Privacy Shield certification began on Aug. 1 this year, and initial response has been spotty, with only 40 companies certified under the program in its first two weeks. Even now, nearly three months later with over 500 companies signed on at the time of this writing, the total is still far short of the over 4,400 companies registered with the Safe Harbor program; Safe Harbor was invalidated last year after Austrian privacy activist Max Schrems successfully argued in court that it did not safeguard EU residents' personal information from large-scale access by U.S. intelligence agencies.
"Self-certification is really about making 100% certain that your processes and practices are well written and fully understood by your team, and affirming that to the public who will ultimately apply their trust in you as an organization with their information," Brown added.
Stephen Cobbsenior security researcher, ESET
Tomas Honzak, director of security and compliance at GoodData, a San Francisco cloud-based business intelligence firm, said the process went faster than expected, in 60 days rather than the expected 90 days lead time.
While the process was largely transparent to GoodData's customers, the effort behind it was significant: "Internally we had to do a detailed gap analysis to which extent our current privacy-related procedures comply and of course we had to update them so that they actually address these new rights -- and we also had to ensure that whenever there is another third party that can access the personal data on our behalf, they would be able to comply with these new requirements too."
Many key cloud players, including Microsoft, Oracle, Google, Dropbox, Facebook, Slack, Box and Salesforce, have already jumped in and self-certified for the Privacy Shield framework, and their registrations, are viewable at the U.S. Department of Commerce Privacy Shield website.
Stephen Cobb, senior security researcher at ESET, told SearchSecurity by email that absence from the Privacy Shield website does not mean a company is not complying with the EU privacy rules. "Certification under Privacy Shield is not the only way to comply with these rules. It is possible to comply with EU laws on trans-border data flows by having the right contracts in place between the entities handling the data. When appropriately formulated and formalized, these so-called binding corporate rules (BCRs) are a valid legal basis for international data transfers, now and under GDPR, the General Data Protection Regulation that the EU will begin enforcing in 2018."
Amazon addressed the issue of Privacy Shield certification in a blog post in August, noting that AWS customers are not impacted by the new framework for two reasons: "First, customers using AWS have full control of the movement of their data and have always had the choice of the region in which their data is kept. AWS customers choose the AWS region where their data will be stored and can be assured that their data will remain there unless moved by them."
AWS customers transferring personal data from Europe to other parts of the world can comply with EU data protection law by using model contract clauses, which provide a separate mechanism for organizations to comply with EU privacy regulations.
Amazon does refer to its participation in Privacy Shield in its privacy notice, which it updated on Sept. 30 to reflect Amazon's compliance with the framework for Amazon.com, Amazon Media Group LLC, Amazon Web Services, Inc. and Audible Inc.
Yahoo is bypassing Privacy Shield entirely, at least so far. A Yahoo spokesperson stated: "We rely on model contract clauses and other mechanisms to serve our customers in Europe and address European Union data protection requirements for transfers of data."
Can Privacy Shield survive?
A potential fly in the privacy ointment has to do with the prospect that privacy advocates may target Privacy Shield for the same shortcomings as Safe Harbor: insufficient privacy protections for EU residents in the face of U.S. intelligence agencies doing mass surveillance, as well as insufficient redress options for individuals who believe their privacy was violated and who can't get satisfaction from the company involved in the violation.
"Most legal observers seem to think such a challenge is quite likely. How it unfolds will be a matter of law, diplomacy and also economics," Cobb said. "While the privacy concerns of consumers in every country are important, most countries derive great commercial benefit from the relatively free flow of data across borders. Perhaps more critically, there could be significant negative impacts to companies and consumers in multiple countries if the data flows stopped. It may be that the best chance of deflecting a successful challenge to the Privacy Shield is a solid effort by U.S. companies to embrace EU principles of data protection -- something that would arguably play well with U.S. consumers as well as EU citizens."
Brown said the possibility of a legal challenge was not surprising given the Safe Harbor ruling. "My guess is that the Privacy Shield will either change dramatically or possibly even be replaced, encapsulated into a more globally reaching policy as we work harder to determine exactly where our rights as humans are protected or should be."
Honzak said the possibility of a legal challenge to Privacy Shield "is literally a multimillion-dollar question." Noting that there may be some doubt over whether Privacy Shield can survive for long, he said "even if we put the skepticism aside, there is already the General Data Protection Rules, new EU regulation that will come to effect in May 2018, and the boom of internet of things literally opens a new can of worms in the area of privacy, so with or without the Privacy Shield, privacy officers have already a lot of things to work on."
Privacy Shield certification advice
"As in any other compliance-related project, it is important to start with the buy-in from the executive team," Honzak offered. "Sounds like a no-brainer, but unless the business understands the importance, it will be a tough uphill battle."
"I think the choice is clear," Cobb said. "You either avoid doing business in Europe or with European customers, or you embrace the EU approach to privacy and lead by example, as a U.S. company that 'gets privacy.' I realize that could be a tough call for some companies whose business model is built on exploiting consumer data, but in my opinion those business models are going to face multiple challenges down the road, and not just from privacy advocates in the EU."
Find out more about factors to consider before jumping into the Privacy Shield framework
Learn about Max Schrems, the man whose efforts brought down the old Safe Harbor framework for transatlantic data flows
Read ten important facts about the EU's new General Data Protection Regulation protecting the privacy of personal data