August 31, 2016 By Douglas Bonderud 2 min read

According to Network World, Privacy Shield — the replacement for the EU/U.S. data handling provision known as Safe Harbor — now covers 200 American companies.

Since registration opened on Aug. 1, 2016, the International Trade Administration (ITA) has processed 90 applications from big companies such as Microsoft and Salesforce, along with a host of subsidiary organizations. In the case of Microsoft, this includes businesses like Acompli, BlueStripe Software, Incent Games and Vexcel.

While the new legislation offers improved transparency for consumers along with tighter data handling rules for organizations, the jury’s still out on its long-term impact. Is the Shield just running wind sprints, or is this legislation up for the long haul?

More Control With Privacy Shield

In October 2015, the Court of Justice of the European Union ruled that the Safe Harbor framework didn’t do enough to protect the rights of European citizens whose personal data was being processed by American companies. The EU-U.S. Privacy Shield was developed as way to address those concerns.

According to the European Commission, the new framework includes more options for individuals. Companies must reply to complaints within 45 days and alternative dispute resolution is provided free of charge.

As noted by Information Age, meanwhile, business must abide by new principals, such as notice and choice. Notice requires companies to notify users about their Privacy Shield status, what type of data they plan to collect, how that data will be shared and which (if any) third parties will have access. The choice principle, meanwhile, mandates that organizations give EU citizens the ability to decide if their data can be shared with a third party at all or if their data can be used for purposes other than those expressly authorized.

It’s worth noting that there’s some pushback on this issue, especially from groups like the Article 29 Working Party (WP29), which has concerns about automated decision-making and the lack of a general right to object.

It’s also interesting to note that registering for Privacy Shield is an entirely self-serve process. The ITA only checks to ensure forms are completed correctly; businesses self-certify that they will comply with the nearly 14,000 words of this legislation, and consumers are on the hook to catch any missteps.

Cracks in the Armor

For businesses, however, there is one aspect of this new legislation that may demand more than mere technical changes and notification solutions. As discussed by Venture Beat, under the new law, any data controllers — such as the big-name companies registered with Privacy Shield — are responsible for the actions of third parties that have been granted access to information.

In other words, it’s no longer enough for multinational enterprises to shrug if a third-party provider drops the ball. As the first point of contact, data controllers are responsible for protecting personal data throughout its life cycle and destroying this data once it’s no longer needed.

What does this all mean for the future of Privacy Shield? Although it’s an imperfect document, it’s an improvement on Safe Harbor — one that offers both enhanced resolution options and data protection expectations. Registrations aren’t exactly skyrocketing and the law hasn’t hit its stride quite yet, but this new digital defense may be able to go the distance.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today