Few Companies Trust the EU's New Personal Data 'Privacy Shield'
Multinational companies aren't putting much faith in the "Privacy Shield" agreement between the United States and the European Union, a recent survey of privacy professionals shows. Barely a third of surveyed businesses plan on using the agreement, which makes it easier to for companies to transfer personal information on European citizens outside the EU. The Privacy Shield agreement was meant to replace a previous data sharing agreement, known as Safe Harbor, which was struck down last October, in part because U.S. companies could not protect European data from NSA snooping.
But the alternative to the Privacy Shield isn't too great either. Instead of relying on the Privacy Shield agreement, most companies have turned to model contract clauses -- clauses that many expect to be invalidated by the European Court of Justice, the Wall Street Journal reports.
From Safe Harbor to Privacy Shield Nothing
The EU places strict limits on what can be done with the personal data of European Citizens, which it defines as any personally identifiable information. One of the strictest limitations is the EU Data Protection Directive's prohibition on transferring personal data out of Europe. For years, companies were able to get around that limitation by taking part in the Safe Harbor program, in which U.S. companies could agree to data protection principals in order to bypass European restrictions.
In October, the Safe Harbor program died after the European Court of Justice ruled that European data isn't really safe when stored in the U.S., thanks in part to our snooping government.
In response, the European Union and the U.S. created Privacy Shield, a protocol with more "robust and enforceable" protections for European data. But very few people are interested. Barely 100 companies have been certified under the program so far, compared to the more than 4,000 that took advantage of Safe Harbor, the Journal reports.
Rolling the Dice on Contract Clauses -- For Now
Only 34 percent of companies plan on using the Privacy Shield agreement, according to a survey of 600 privacy professionals conducted by the International Association of Privacy Professionals and EY (former Ernst and Young). The vast majority, 81 percent, are relying on model contract clauses that have been approved by the EU, instead.
But that could be a risky proposition. Those clauses are considered likely to be invalidated by the European Court of Justice, because they don't do enough to keep government hands of EU data. If the clauses are struck down, companies that aren't part of Privacy Shield could face sanctions.
Of course, Privacy Shield's future isn't certain, either. "There is a legal uncertainty of the future of this arrangement because we saw what happened with Safe Harbor," the IAPP's vice president of research, Omer Tene, told the Journal. And new European data regulations are expected in the spring of 2018, meaning that the Privacy Shield agreement could soon become superseded itself.
That seems to be what everyone is planning for. According to the Journal's Dana Heide, 89 percent of the survey's respondents are already taking steps to comply with those new data protection regulations.
Related Resources:
- The EU-U.S. Privacy Shield Versus Other EU Data Transfer Compliance Options (Bloomberg)
- Drafting a Privacy Policy? Cal. Attorney General's Helpful Guide (FindLaw's In House)
- EU Safe Harbor Ruling: Implications for Businesses (FindLaw's In House)
- When It Comes to Data Security, Corps Turn to Outside Counsel (FindLaw's In House)