Tech companies like Privacy Shield but worry about legal challenges

The future of data transfers between the EU and US is uncertain, companies say

Privacy Shield, the new international framework allowing companies to transfer customer data between the EU and the U.S., is getting good reviews so far, but some companies aren't betting on it for the long term.

Companies using Privacy Shield worry that it may face the same fate as long-used predecessor the Safe Harbor Framework, which was overturned by the European Court of Justice in October 2015 after revelations of mass surveillance by the U.S National Security Agency. 

Digital Rights Ireland and French civil liberties group La Quadrature du Net have also challenged Privacy Shield in court, saying the new framework doesn't adequately protect Europeans' privacy.

While U.S. companies are embracing Privacy Shield, many European businesses are "still concerned that Privacy Shield will not hold up under court scrutiny, and they will find themselves in the same scenario as they were in October 2015, when the Safe Harbor agreement was struck down," said Deema Frei, global privacy officer at Intralinks, a New York cloud-based content collaboration provider.

Some European companies see Privacy Shield certification as a "tick box" compliance exercise, she added. With some doubts about its long-term viability, companies should also consider other data transfer agreements, such as EU model clauses or binding corporate rules, she recommended.

However, if companies can get certainty about Privacy Shield's future, and if it won't be "attacked in the long term by data privacy activists trying to discredit it and challenge its validity, I believe it will work in the long run," Frei added. 

More than 1,100 users

As of early December, about five months after Privacy Shield went into effect, about 1,150 U.S. companies had signed up to handle European customer data under Privacy Shield, up from about 500 at the end of September. Another 600 U.S. companies had applications under review.

Those numbers compare to more than 4,500 U.S. companies that had participated in the Safe Harbor data-transfer program, according to the U.S. Department of Commerce.

Like Intralinks, cloud security firm CipherCloud is worried about the legal challenges to Privacy Shield, said David Berman, senior product marketing manager there.

"If a European Court decision does invalidate Privacy Shield, there will be another period of uncertainty" similar to what happened after the Safe Harbor agreement was struck down, he said. "If the new framework can withstand legal challenges it should continue to attract companies that want an overarching mechanism to transfer EU data to the U.S."

Small and medium-size businesses, as well as cloud providers, seem to be embracing Privacy Shield, but the new data transfer rules impose more obligations than the old agreement, Berman said. 

"Privacy Shield has more privacy protections for individuals than Safe Harbor, so firms will have to be more diligent and ensure they are complying with the new privacy principles or risk public disclosure of a violation by the U.S. Department of Commerce," he said. "Some firms may find the increased oversight, additional requirements, and sanctions for non-compliance under Privacy Shield a barrier to adoption."

Compliance and surveillance

With the number of Privacy Shield companies still lagging behind those that used Safe Harbor, this could indicate that Privacy Shield is more difficult to comply with, added Elodie Dowling, corporate vice president and general counsel for Europe, the Middle East, and Africa at BMC Software.

In addition to the legal challenges, some EU data privacy regulators have suggested that Privacy Shield "does not do enough to curtail U.S. surveillance," Dowling added. EU privacy regulators will review the agreement in 2017.

The legal challenges may be only beginning, she added. Max Schrems, the Austrian man who led the fight against Safe Harbor, has questioned how 500 companies received certification in the first month Privacy Shield was available.

"This is undoubtedly showing that there are serious concerns around ... Privacy Shield and its ability to indeed protect EU citizen’s fundamental right of privacy when their personal data is being transferred to the U.S.," Dowling said.

BMC has not yet signed up for Privacy Shield, instead deciding to "rely on another mechanism to safely and legally transfer personal data outside of the EU anywhere in the world" -- through binding corporate rules.

For Privacy Shield to succeed, it needs support from the EU, including the data protection authorities in each member state, added David Hoffman, Intel's associate general counsel and global privacy officer.

Intel supports the new agreement but wants to keep other mechanisms, such as binding corporate rules, in place as well, he said.

If data transfers are between subsidiaries of the same company, companies can use binding corporate rules to define the data responsibilities. As an alternative to Privacy Shield, companies can protect external transfers through model contract clauses restricting what the receiving company may do with the data. 

But companies are concerned about the future of those alternate data transfer methods as well, Hoffman said. While Privacy Shield and alternative transfer methods are in place for now, the future is uncertain.

"Some of the same arguments about Safe Harbor and Privacy Shield can be made about alternative transfer methods," he said. "If there are concerns about law enforcement and national security agencies accessing information, then there would be the same concerns about alternative methods because those agencies can also access it when it's transferred by other means."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Grant Gross

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?