Breaking down Privacy Shield: Will it stay or will it go?

6 Sep 2018

Image: Nenad Mihajlovic/Shutterstock

The threat deadline posed by the EU to suspend Privacy Shield has passed. What could happen if it is scrapped? Fouad Khalil of SecurityScorecard explains.

In early July 2018, the European Parliament warned that it would suspend the Privacy Shield agreement with the US unless the government took action. Neglected by the media during the ramp-up to the General Data Protection Regulation (GDPR) enforcement date, the EU-US Privacy Shield offered US businesses an opportunity to meet GDPR requirements.

As the US government continues to neglect data privacy, however, the EU Parliament seeks to force a unified data protection standard by suspending the Privacy Shield, thus deauthorising European citizen personal data transfers to US systems.

What does the EU-US Privacy Shield do?

The EU-US Privacy Shield created an established framework allowing businesses to self-certify and attest to their privacy practices. As part of the self-certification process, US businesses must provide Privacy Shield compliance privacy policy statements. However, self-certifying organisations can choose to prove compliance through a self-assessment or an independent third party.

What caused the EU Parliament to threaten Privacy Shield revocation?

In short, the EU Parliament lost trust in US corporate and governmental data privacy governance.

As part of the EU-US Privacy Shield agreement, the EU Parliament negotiated a privacy framework that would incorporate many of the data minimisation and user redress requirements available now under the GDPR. It also required US government assurances that limited public authority data access based on national security.

The parliament established a resolution that would suspend the Privacy Shield until such time as the US authorities comply with the terms. Two specific concerns regarding US government and private entity data use led to the resolution.

First, Facebook’s transfer of 2.7m EU citizens’ data to Cambridge Analytica indicated that corporate US signatories had not respected the agreement. As part of the Privacy Shield self-certification process, organisations can use self-assessments as proof of compliance. Since Facebook did not comply with its own policies, the EU Parliament lost trust in US corporations.

Second, the parliament noted that the US authorities left 10 recommendations unresolved, including US Department of Commerce monitoring, Section 702 of the Foreign Intelligence Surveillance Act reauthorisation and Privacy Civil Liberties Oversight Board establishment. The Privacy Shield agreement means the US government needs to comply with data privacy requirements. As of early July 2018, it had not responded to EU Parliament concerns.

What would the impact be on global compliance standards should Privacy Shield be suspended?

The Privacy Shield established a reciprocal data governance framework. Corporate attestation with Privacy Shield requirements allows the company to transfer data as a controller or third-party agent. Revoking the Privacy Shield undermines the compliance efforts aimed at meeting GDPR notice and choice principles.

As such, the Privacy Shield’s potential suspension makes GDPR the only way US companies are authorised to access EU residents’ personal data. Without the framework, US businesses would need to consider establishing European-facing subsidiaries disconnected from their US parent company. This corporate segregation then strains US-based compliance professionals who need to meet international privacy standards as well as those enacted by individual states.

As more states, such as California, enact GDPR-like privacy laws, the time and money spent on continuous compliance efforts increase exponentially. With no single US standard aligning with state and international requirements, the privacy grip on US businesses tightens, increasing the number of compliance attestations, money spent on documentation and staff needed to comply.

How does Privacy Shield interact with GDPR and other data privacy regulations globally?

The Privacy Shield provides the roadmap for US business GDPR compliance. Old frameworks focus on data protection but the GDPR intrinsically changed that by requiring companies to focus collection and notification more purposefully. Principles such as data minimisation, valid consent and legitimate business interest in personal data not only require companies to protect data but to meaningfully collect it prior to storing or transmitting it.

Will revoking the Privacy Shield establish GDPR as an international data standard?

Currently, corporate GDPR compliance depends on the type of data collected and third parties involved. Suspending the Privacy Shield would limit the self-reported attestation abilities of companies doing business with EU citizens. Therefore, all companies attempting to do business in the EU would come under the GDPR compliance scope, which would consume the entire organisation’s people, processes and technology.

In lieu of establishing the GDPR as the international standard, ISO 27000 and ISO 29100 combined could offer an alternative. Already accepted internationally, ISO 27001 and 27002 establish technical standards aligning with data protection requirements in the GDPR.

Simultaneously, their requirement for an infosec management system focuses on controls mitigating external risks. ISO 29100 creates a unified privacy terminology, defines actors and their roles, establishes safeguarding requirements, and references known privacy principles.

With the addition of ISO 29151 to the appendix of ISO 27001, the implementation guidelines could become the universal standard as they align with GDPR. Ultimately, however, their alignment with and enablement of GDPR compliance still promotes GDPR as the primary authority.

The new California Consumer Privacy Act of 2018 offers another insight into how suspending the Privacy Shield may impact US businesses. EU supervisory authorities may choose to accept US state-specific privacy compliance requirements.

This possibility poses a different challenge for compliance professionals. A company based in Delaware would normally not need to comply with another state’s regulation. However, if compliance with another state’s laws aligns with an international regulation the business needs, the professional needs to determine the best privacy framework enabling global business transactions.

Finally, if the US continues to maintain an archaic data privacy stance, then global partners may force US businesses to adopt GDPR compliance in its totality. Contract terms will no longer be able to accept Privacy Shield assurances as an alternative to full compliance. A US company expanding its services and technology to the EU market then needs to become GDPR-compliant as it scales.

By Fouad Khalil

Fouad Khalil is the head of compliance at SecurityScorecard. Khalil has extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, programme and project management, and IT security and compliance management.