By Grant Gross
Dec. 22, 2016
Privacy Shield, the new international framework allowing companies to transfer customer data between the EU and the U.S., is getting good reviews so far, but some companies aren't betting on it for the long term.
Companies using Privacy Shield worry that it may face the same fate as long-used predecessor the Safe Harbor Framework, which was overturned by the European Court of Justice in October 2015 after revelations of mass surveillance by the U.S National Security Agency.
Digital Rights Ireland and French civil liberties group La Quadrature du Net have also challenged Privacy Shield in court, saying the new framework doesn't adequately protect Europeans' privacy.
While U.S. companies are embracing Privacy Shield, many European businesses are "still concerned that Privacy Shield will not hold up under court scrutiny, and they will find themselves in the same scenario as they were in October 2015, when the Safe Harbor agreement was struck down," said Deema Freij, global privacy officer at Intralinks, a New York cloud-based content collaboration provider.
Some European companies see Privacy Shield certification as a "tick box" compliance exercise, she added. With some doubts about its long-term viability, companies should also consider other data transfer agreements, such as EU model clauses or binding corporate rules, she recommended.
However, if companies can get certainty about Privacy Shield's future, and if it won't be "attacked in the long term by data privacy activists trying to discredit it and challenge its validity, I believe it will work in the long run," Freij added.
More than 1,100 users
As of early December, about five months after Privacy Shield went into effect, about 1,150 U.S. companies had signed up to handle European customer data under Privacy Shield, up from about 500 at the end of September. Another 600 U.S. companies had applications under review.
Those numbers compare to more than 4,500 U.S. companies that had participated in the Safe Harbor data-transfer program, according to the U.S. Department of Commerce.
Like Intralinks, cloud security firm CipherCloud is worried about the legal challenges to Privacy Shield, said David Berman, senior product marketing manager there.
"If a European Court decision does invalidate Privacy Shield, there will be another period of uncertainty" similar to what happened after the Safe Harbor agreement was struck down, he said. "If the new framework can withstand legal challenges it should continue to attract companies that want an overarching mechanism to transfer EU data to the U.S."
Small and medium-size businesses, as well as cloud providers, seem to be embracing Privacy Shield, but the new data transfer rules impose more obligations than the old agreement, Berman said.
"Privacy Shield has more privacy protections for individuals than Safe Harbor, so firms will have to be more diligent and ensure they are complying with the new privacy principles or risk public disclosure of a violation by the U.S. Department of Commerce," he said. "Some firms may find the increased oversight, additional requirements, and sanctions for non-compliance under Privacy Shield a barrier to adoption."