New Privacy Shield Breaks 200 — But Can It Go the Distance?
According to Network World, Privacy Shield — the replacement for the EU/U.S. data handling provision known as Safe Harbor — now covers 200 American companies.
Since registration opened on Aug. 1, 2016, the International Trade Administration (ITA) has processed 90 applications from big companies such as Microsoft and Salesforce, along with a host of subsidiary organizations. In the case of Microsoft, this includes businesses like Acompli, BlueStripe Software, Incent Games and Vexcel.
While the new legislation offers improved transparency for consumers along with tighter data handling rules for organizations, the jury’s still out on its long-term impact. Is the Shield just running wind sprints, or is this legislation up for the long haul?
More Control With Privacy Shield
In October 2015, the Court of Justice of the European Union ruled that the Safe Harbor framework didn’t do enough to protect the rights of European citizens whose personal data was being processed by American companies. The EU-U.S. Privacy Shield was developed as way to address those concerns.
According to the European Commission, the new framework includes more options for individuals. Companies must reply to complaints within 45 days and alternative dispute resolution is provided free of charge.
As noted by Information Age, meanwhile, business must abide by new principals, such as notice and choice. Notice requires companies to notify users about their Privacy Shield status, what type of data they plan to collect, how that data will be shared and which (if any) third parties will have access. The choice principle, meanwhile, mandates that organizations give EU citizens the ability to decide if their data can be shared with a third party at all or if their data can be used for purposes other than those expressly authorized.
It’s worth noting that there’s some pushback on this issue, especially from groups like the Article 29 Working Party (WP29), which has concerns about automated decision-making and the lack of a general right to object.
It’s also interesting to note that registering for Privacy Shield is an entirely self-serve process. The ITA only checks to ensure forms are completed correctly; businesses self-certify that they will comply with the nearly 14,000 words of this legislation, and consumers are on the hook to catch any missteps.
Cracks in the Armor
For businesses, however, there is one aspect of this new legislation that may demand more than mere technical changes and notification solutions. As discussed by Venture Beat, under the new law, any data controllers — such as the big-name companies registered with Privacy Shield — are responsible for the actions of third parties that have been granted access to information.
In other words, it’s no longer enough for multinational enterprises to shrug if a third-party provider drops the ball. As the first point of contact, data controllers are responsible for protecting personal data throughout its life cycle and destroying this data once it’s no longer needed.
What does this all mean for the future of Privacy Shield? Although it’s an imperfect document, it’s an improvement on Safe Harbor — one that offers both enhanced resolution options and data protection expectations. Registrations aren’t exactly skyrocketing and the law hasn’t hit its stride quite yet, but this new digital defense may be able to go the distance.