For much of 2018, GDPR took center stage and not much was said about Privacy Shield. Until now. Since the spring, interest in Privacy Shield has surged with more than 1,000 additional organizations applying for the program.
Privacy Shield is designed for companies that transfer personal data to the US from the EU as part of their business operations, and to help them to demonstrate that they protect data in compliance with strict EU data protection laws.
Earlier this summer, however, the European Parliament deemed that US efforts to comply with the Privacy Shield program were inadequate and that unless corrective actions were taken, they would recommend its suspension. Currently under review by the European Commission, there’s risk of Privacy Shield being suspended — despite the strong market demand for it.
What are the implications for US companies doing business in Europe if this were to happen, and what’s actually at stake?
What’s at stake with Privacy Shield?
With organizations increasingly relying on data to power their businesses and increasingly conducting cross-border business activities, complex privacy regulations have become the new reality, as have the solutions that help organizations manage compliance. For US companies serving European markets, Privacy Shield is a critical mechanism for facilitating compliant data flows and its suspension could wreak havoc.
Privacy Shield provides the flexible approach US companies require to effectively transfer data out of the EU. If it goes away, this flexibility would go away immediately and companies would have to resort to one of two options:
- Non-compliance, which isn’t much of an option if you’re trying to run a business;
- Very quickly adopt contractual agreements in its place (a third option is to obtain regulatory approval for Binding Corporate Rules (BCR), but this can take a number of years to complete)
These agreements, however, called Standard Contractual Clauses (SCCs) provide legal protection, but don’t really provide much data protection in practice. Though some organizations already have SCCs in place as a fall-back mechanism, the agreements are prescriptive and non-negotiable, specific to certain enumerated data transfers, and very hard to maintain.
More often than not, they turn into a mere paper exercise, making any reasonable substitution for accountable oversight of data transfers under Privacy Shield unlikely.
Privacy compliance requires a programmatic approach - today and tomorrow
Shifting international data privacy rules create obvious barriers to global trade, which is why efforts are underway to make regulations more convergent and to ensuring effective interoperability. Privacy Shield, for example, aligns closely with many of the requirements of the GDPR, the California Consumer Privacy Act (CCPA), and APEC Cross Border Privacy Rules (CBPR) as well as other regional and national privacy laws and frameworks.
These regulations share characteristics including flexibility and programmatic approaches for compliance. In 2019, I fully expect data privacy to continue on a similar path as the one that cybersecurity has followed. As with security, a standard of constant privacy, data governance, and data protection will become the new normal. Rather than a project with a finite end, privacy compliance is a continuous exercise that requires the same ongoing focus and vigilance as security or taxes.
Privacy regulations are a competitive differentiator
As international privacy standards become ubiquitous, companies have an opportunity to re-examine their approaches to developing innovative and differentiated products and services. The organizations that embed compliance into their entire product development processes will be able to clearly differentiate against their competitors by offering compelling value to customers.
Once a focus only in healthcare, research, and highly regulated organizations, Privacy Shield, GDPR and similar laws are driving businesses across sectors to consider ethical approaches to data privacy. While companies may have started with a check-the-box compliance exercise, innovative players are looking to differentiate themselves from their competition by setting up news teams and roles such as data ethics officers to formally consider the implications of algorithms and machine learning on customer trust and business outcomes.
Privacy Shield will sustain because companies demand it
Research has shown that meeting customer expectations was the main driver for companies to become GDPR compliant before the May 25th deadline, significantly higher at 57% compared to concern for fines at 39%.
Privacy Shield is a voluntary compliance framework and with thousands of companies joining the program just this year, it’s clear that its relevance is growing. In a time when global privacy regulations are the new normal, compliance solutions and program certifications such as that of Privacy Shield offer companies the approach they require to better serve global markets, commit to their user’s privacy, and drive competitive differentiation.