Privacy Shield: Should I stay or should I go?

The lead up to the GDPR enforcement date consumed a large swath of media coverage. This essentially buried the news that in early July 2018, the European Union Parliament warned that it would suspend the Privacy Shield agreement with the United States unless the US government took action to meet GDPR requirements.

The EU-US Privacy Shield offered US businesses an opportunity to meet GDPR requirements prior to enforcement actions, yet the US government continued to neglect data privacy, positioning the EU Parliament to force a unified data protection standard by suspending the Privacy Shield, hence de-authorizing European citizen personal data transfers to US systems.

The EU-US Privacy Shield

This framework allows businesses to self-certify and attest to their privacy practices. US businesses must provide Privacy Shield-Compliance Privacy Policy statements as part of the self-certification process, or self-certifying organizations can choose to prove compliance through an independent party or a self-assessment.

The EU Parliament threatens a Privacy Shield revocation

The EU Parliament understandably lost trust in US corporate and governmental data privacy oversight. As part of the EU-US Privacy Shield agreement, the EU Parliament negotiated a privacy framework to incorporate data minimization and user redress requirements that that are now available under the GDPR. This agreement also requested for US government assurances to limit public authority data access based on the claim of national security.

The Parliament established a resolution that would suspend the Privacy Shield until such time as the US officials comply with the terms. Two major events regarding US government and private entity data use led to the resolution.

Facebook transferred 2.7 million EU citizens’ data to Cambridge Analytica. This showed US corporate signatories had not abided by the agreement. The Privacy Shield self-certification process allows organizations to use self-assessments as proof of compliance. Since Facebook did not comply with its own policies, the EU Parliament lost trust in US corporations.

The second event took place when the Parliament noted that the US authorities left ten recommendations unresolved, including US Department of Commerce monitoring, Section 702 of the Foreign Intelligence Surveillance Act (FISA) re-authorization and Privacy Civil Liberties Oversight Board establishment. The Privacy Shield agreement means the US government needs to comply with data privacy requirements. As of early July 2018, it had not responded to EU Parliament concerns.

Global compliance impact on Privacy Shield suspension

The Privacy Shield built a reciprocal data governance framework that enables companies in compliance to transfer data as a controller or third-party agent. Revoking the Privacy Shield undermines the agreed standards aimed at meeting GDPR Notice and Choice Principles.

The potential of a Privacy Shield suspension makes GDPR the only way US companies are authorized to access EU resident’s personal data. Lacking this, US businesses would need to establish European-facing subsidiaries disconnected from their US parent company, straining US-based compliance professionals who need to meet international privacy standards as well as those enacted by individual states.

As states such as California enact GDPR-inspired laws the time and cost efforts to meet compliance requirements increase exponentially as there is no federal US alignment standards for meeting new international measures.

Privacy Shield’s role in GDPR and other global data privacy regulations

By drawing an executional roadmap, the Privacy Shield offers US companies a way to navigate GDPR compliance, which has shifted focus from data protection to a more purposeful care of data collection and breach notification.

The Privacy Shield provides the roadmap for US business GDPR compliance. Old frameworks focus on data protection but the GDPR intrinsically changed that by requiring companies to focus collection and notification more purposefully. Principles like data minimization, valid consent, and legitimate business interest in personal data not only require companies to protect data but to meaningfully collect it prior to storing or transmitting it.

The Privacy Shield possibly creates GDPR as an international standard

GDPR compliance depends on the types of data collected and third-parties involved. Suspending the Privacy Shield would limit the self-reporting of companies doing business with EU citizens. All companies then attempting to do business in the EU would come under GDPR compliance. This would necessitate a devotion of a significant amount of the organization’s people, processes, and technology for compliance work.

Already accepted internationally, ISO 27001 and 27002 establish technical standards aligning with data protection requirements listed in the GDPR. This could be used in lieu of GDPR.

ISO 29100 creates a unified privacy terminology, defines actors and their roles, establishes safeguarding requirements, and references known privacy principles. ISO 29151 adds to the appendix of ISO 27001 with the implementation guidelines that could become the universal standard as they align with GDPR. Ultimately, their alignment with and enablement of GDPR compliance still promotes GDPR as the primary authority.

The path forward

The new California Consumer Privacy Act of 2018 offers another insight into how suspending the Privacy Shield may impact US businesses. EU supervisory authorities may choose to accept US state-specific privacy compliance requirements. Consider a company based in Delaware that would normally not need to comply with another state’s regulation. However, if compliance with another state’s laws align with an international regulation the business must adhere to, privacy frameworks to enable global business transactions become easily overcomplicated.

Finally, if the US continues to lag in efforts around data privacy, global partners may force US businesses to adopt GDPR compliance in its totality. Contract terms will no longer be able to accept Privacy Shield assurances as an alternative to full compliance. A US company expanding its services and technology to the EU market then needs to become GDPR compliant as it scales.