News Stay informed about the latest enterprise technology news and product updates.

EU-U.S. Privacy Shield certification process picks up steam, slowly

After a slow start, some U.S. companies are starting to address the questions and challenges of EU-U.S. Privacy Shield certification. But most haven't started the process.

Three months after self-certification was opened up for the new EU-U.S. Privacy Shield framework, only a small number of companies that handle personal data of EU citizens have actually completed the process.

EU-U.S. Privacy Shield certification began on Aug. 1 this year, and initial response has been spotty, with only 40 companies certified under the program in its first two weeks. Even now, nearly three months later with over 500 companies signed on at the time of this writing, the total is still far short of the over 4,400 companies registered with the Safe Harbor program; Safe Harbor was invalidated last year after Austrian privacy activist Max Schrems successfully argued in court that it did not safeguard EU residents' personal information from large-scale access by U.S. intelligence agencies.

The Privacy Shield certification process is straightforward, but not necessarily simple. David Brown, vice president of information technology at FullContact, a contact management company based in Denver, told SearchSecurity by email that FullContact's certification process took just four weeks from start to finish. "The longest part was internal discussions and legal reviews of impact resulting from changes to our existing privacy policy. The fact that our privacy policy already catered to [safe harbor], we were very well positioned to make the appropriate changes and move forward with a rather aggressive change management schedule.

"Self-certification is really about making 100% certain that your processes and practices are well written and fully understood by your team, and affirming that to the public who will ultimately apply their trust in you as an organization with their information," Brown added.

I think the choice is clear. You either avoid doing business in Europe or with European customers, or you embrace the EU approach to privacy and lead by example, as a US company that 'gets privacy.'
Stephen Cobbsenior security researcher, ESET

The first step in self-certification is for the organization to confirm its eligibility to participate in the Privacy Shield framework, which is for companies that handle transatlantic data flows with the personal information of EU citizens; only organizations subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are eligible. The organization must develop a Privacy Shield-compliant privacy policy statement, identify an independent recourse mechanism for investigating privacy complaints, set up a verification mechanism for confirming compliance, designate a Privacy Shield contact within the organization, review the application and, finally, submit the self-certification with the Department of Commerce.

Tomas Honzak, director of security and compliance at GoodData, a San Francisco cloud-based business intelligence firm, said the process went faster than expected, in 60 days rather than the expected 90 days lead time.

"From the end-user perspective, the visible part is an updated Privacy Policy which tells the end users all about their privacy-related rights and how to proceed if they want to execute on those. But this is just the surface," Honzak said.

While the process was largely transparent to GoodData's customers, the effort behind it was significant: "Internally we had to do a detailed gap analysis to which extent our current privacy-related procedures comply and of course we had to update them so that they actually address these new rights -- and we also had to ensure that whenever there is another third party that can access the personal data on our behalf, they would be able to comply with these new requirements too."

Many key cloud players, including Microsoft, Oracle, Google, Dropbox, Facebook, Slack, Box and Salesforce, have already jumped in and self-certified for the Privacy Shield framework, and their registrations, are viewable at the U.S. Department of Commerce Privacy Shield website.

Stephen Cobb, senior security researcher at ESET, told SearchSecurity by email that absence from the Privacy Shield website does not mean a company is not complying with the EU privacy rules. "Certification under Privacy Shield is not the only way to comply with these rules. It is possible to comply with EU laws on trans-border data flows by having the right contracts in place between the entities handling the data. When appropriately formulated and formalized, these so-called binding corporate rules (BCRs) are a valid legal basis for international data transfers, now and under GDPR, the General Data Protection Regulation that the EU will begin enforcing in 2018."

Notably absent from the database (at the time of this writing) were Apple, Twitter, Yahoo and Amazon. Apple did not respond to requests for clarification on its compliance with Privacy Shield, while Twitter's privacy policy states that it does comply with Privacy Shield.

Amazon addressed the issue of Privacy Shield certification in a blog post in August, noting that AWS customers are not impacted by the new framework for two reasons: "First, customers using AWS have full control of the movement of their data and have always had the choice of the region in which their data is kept. AWS customers choose the AWS region where their data will be stored and can be assured that their data will remain there unless moved by them."

AWS customers transferring personal data from Europe to other parts of the world can comply with EU data protection law by using model contract clauses, which provide a separate mechanism for organizations to comply with EU privacy regulations.

Amazon does refer to its participation in Privacy Shield in its privacy notice, which it updated on Sept. 30 to reflect Amazon's compliance with the framework for, Amazon Media Group LLC, Amazon Web Services, Inc. and Audible Inc.

Yahoo is bypassing Privacy Shield entirely, at least so far. A Yahoo spokesperson stated: "We rely on model contract clauses and other mechanisms to serve our customers in Europe and address European Union data protection requirements for transfers of data."

Can Privacy Shield survive?

A potential fly in the privacy ointment has to do with the prospect that privacy advocates may target Privacy Shield for the same shortcomings as Safe Harbor: insufficient privacy protections for EU residents in the face of U.S. intelligence agencies doing mass surveillance, as well as insufficient redress options for individuals who believe their privacy was violated and who can't get satisfaction from the company involved in the violation.

"Most legal observers seem to think such a challenge is quite likely. How it unfolds will be a matter of law, diplomacy and also economics," Cobb said. "While the privacy concerns of consumers in every country are important, most countries derive great commercial benefit from the relatively free flow of data across borders. Perhaps more critically, there could be significant negative impacts to companies and consumers in multiple countries if the data flows stopped. It may be that the best chance of deflecting a successful challenge to the Privacy Shield is a solid effort by U.S. companies to embrace EU principles of data protection -- something that would arguably play well with U.S. consumers as well as EU citizens."

Brown said the possibility of a legal challenge was not surprising given the Safe Harbor ruling. "My guess is that the Privacy Shield will either change dramatically or possibly even be replaced, encapsulated into a more globally reaching policy as we work harder to determine exactly where our rights as humans are protected or should be."

Honzak said the possibility of a legal challenge to Privacy Shield "is literally a multimillion-dollar question." Noting that there may be some doubt over whether Privacy Shield can survive for long, he said "even if we put the skepticism aside, there is already the General Data Protection Rules, new EU regulation that will come to effect in May 2018, and the boom of internet of things literally opens a new can of worms in the area of privacy, so with or without the Privacy Shield, privacy officers have already a lot of things to work on."

Privacy Shield certification advice

Brown had advice for companies preparing for Privacy Shield certification, starting with transparency. "Work harder than you do on any other front to make certain that you, your team, your leadership, and most importantly, your clients understand the beginning and end of your Privacy Policy," he said. "Your Privacy Policy should be plain, simple, 'human,' and clearly indicate the process and steps available to your clients in pursuit of resolution. Aside from that, I would suggest that Security and Privacy teams begin looking at the level of trust clients are affording them when sharing the data that they do."

"As in any other compliance-related project, it is important to start with the buy-in from the executive team," Honzak offered. "Sounds like a no-brainer, but unless the business understands the importance, it will be a tough uphill battle."

"Second, even though participation in the Privacy Shield can be achieved by self-assessment and self-certification, I would recommend partnering with a privacy professional that can assist with the gap analysis, provide feedback and guidance on the required edits to the privacy policy and, last but not least, formally confirm that the company abides to the principles," Honzak said. "Not only that, this increases the trust, gives your customers, partners and end users a clear sign that you do comply -- and a trusted redress mechanism should they ever be concerned about the sensitive data they trusted you with -- but it also saves you a lot of time and money in the compliance process."

"I think the choice is clear," Cobb said. "You either avoid doing business in Europe or with European customers, or you embrace the EU approach to privacy and lead by example, as a U.S. company that 'gets privacy.' I realize that could be a tough call for some companies whose business model is built on exploiting consumer data, but in my opinion those business models are going to face multiple challenges down the road, and not just from privacy advocates in the EU."

Next Steps

Find out more about factors to consider before jumping into the Privacy Shield framework

Learn about Max Schrems, the man whose efforts brought down the old Safe Harbor framework for transatlantic data flows

Read ten important facts about the EU's new General Data Protection Regulation protecting the privacy of personal data

Dig Deeper on Data privacy issues and compliance