The new Privacy Shield Framework was created to help American companies protect EU customer data privacy. However, in an unexpected twist, uncertainties may threaten the Privacy Shield: The White House passed a directive in January 2017 called the “Executive Order on Public Safety.” It directs U.S. agencies to exclude non-American citizens from personally identifiable information (PII) protections under the U.S. Privacy Act.
According to a recent report in The Wall Street Journal, the executive order is meant to support law enforcement and intelligence agency data-gathering, not to damage international trade or the Privacy Shield. The U.S. Department of Justice wrote a letter to that effect to the EU commission, stating that the order does not apply to the new Privacy Shield.
Nevertheless, uncertainty rippled throughout Europe. EU Commissioner Vera Jourova stated that the EU will suspend the pact if there are significant future changes, and European civil rights organizations in Ireland and France have appealed to their national courts.
In March, EU Commission VP Andrus Ansip told Reuters that U.S. Secretary of Commerce Wilbur Ross had “confirmed his support for the crucial pillars.” Commissioner Jourova plans to come to the United States to prepare the annual framework review.
Notwithstanding these encouraging signs, the entire instance, as well as the earlier invalidation of the EU Safe Harbor, demonstrate the fragility of such compliance elements—a fragility that has significant ramifications for American companies that interact with EU data.
How to Protect Your Business with Backup Plans
After the court invalidated Safe Harbor, many large U.S. companies turned to the standard contractual clauses to comply with EU data privacy laws. Most large companies, however, have discovered that, while standard contractual clauses are intended to be efficient for data exporters and data processors to integrate into agreements, the standard contractual clauses, by requiring examination of the data involved in a particular transaction, are more less efficient than the former “blanket exceptions” like the Safe Harbor or the Data Privacy Shield.
There are additional (or alternative) plans that organizations “in limbo” are taking to proactively protect themselves against data privacy non-compliance. Strategies include knowing their data, limiting the need to transfer data, investing in eDiscovery tools that filter protected PII and other sensitive information, and “backpack” eDiscovery models to keep the data processing and review of data on-site.
Here are a few strategies forward-thinking companies have adopted:
- Know your data. Know what your data is and where it resides. Create a comprehensive data map that identifies data types and locations, and understand which regulations and authorities control that data. Complete the privacy picture with data security and compliance policies, and follow regional and national laws when disposing of data at the end of its lifecycle.
- Limit the need to transfer data. American organizations that store EU customer data in Europe are already in compliance. The Privacy Shield protects EU customer data transferred to storage in the U.S. Consider limiting data transfers, and work with data-in-place. For example, eDiscovery teams would travel to data centers located within national borders to collect, process, review, and analyze data-in-place.
- Choose review tools that protect data. Invest in eDiscovery tools that filter or redact sensitive information, such as identifying data series that match social security number patterns. Anonymization technology can strip personal identifiers from data sets, and pseudonymization obscures the subject’s identity.
- Keep sensitive data local—especially data involved in eDiscovery. If a local datacenter is not available to host sensitive data subject to litigation, investigations or regulatory compliance matters, look to the backpack model where cross-border teams backpack an eDiscovery appliance to the customer site. They use the appliance for data processing, review and local data storage to stay in compliance with national data privacy laws.
Today the Privacy Shield is operating with over 1,500 corporations and more coming in. But things change. (For example, the beginning enforcement date for the General Data Protection Regulation is May 25, 2018.) Organizations are increasingly getting their internal data privacy frameworks in order. Whether or not the Privacy Shield framework stays in place, these organizations will proactively meet their security and compliance obligations across the world.