Security Experts:

Google Signs Up For EU/U.S. Privacy Shield

Google has signed up for the EU/U.S. Privacy Shield, which provides a set of enforceable protections for the personal data of EU individuals.

As described by the U.S. Department of Commerce, Privacy Shield "was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce."

In October 2015 its predecessor Safe Harbor was struck down by the European Court of Justice as invalid, leaving U.S. companies that share European personal data in limbo over how to remain compliant with European privacy laws. This was settled on July 12 when the European Commission (EC) adopted Privacy Shield as a replacement for Safe Harbor.

"Today Google signed up for the EU-U.S. Privacy Shield, submitting our certification to the U.S. Department of Commerce for approval," wrote Caroline Atkinson, Google's Head of Global Public Policy in a blog post last week. Google has a long history of problems with European data protection regulators; and its announcement can be seen as an endorsement of the workability of Privacy Shield. Time alone will tell whether Google's lawyers and European lawyers will agree on the detailed interpretation of the new requirements.

Google joins Microsoft, Salesforce and more than 100 other U.S. companies that have signed up since the process came into force on 1st August; although it should be noted that Google is not yet listed on privacyshield.gov. Nor, for that matter, are other US internet giants Facebook and Twitter.

On Sept. 1, the EC noted that Privacy Shield certified companies "can receive personal data from the EU in full compliance with EU data protection rules." It added, "The Department of Commerce is currently reviewing the privacy policies of 190 further companies that have signed up to the Shield while an additional 250 companies are in the process of submitting their application."

Microsoft became Privacy Shield certified on Aug. 12. The company appears to believe that its existing privacy policy is Privacy Shield-compliant, but has stated, "If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern."

The reality, however, is that Safe-Harbor compliance isn't a simple shoehorn into Privacy Shield compliance. While the underlying principles are the same; that is, U.S. organizations' compliance with European data protection laws, there are some notable differences. This leaves a potential danger; organizations who complied with Safe Harbor might simply seek self-certification for Privacy Shield while actually being non-compliant. There are some notable additional requirements in Privacy Shield.

One of the simpler requirements comprises additional on-site declarations. For example, the organization's privacy policy must include a commitment to the Privacy Shield Principles (see Microsoft's statement above). There must also be a link to the DOC's privacy shield website, and a link to the new independent recourse mechanism.

The law firm McDermott Will & Emery notes, "consumers must be informed of their rights to access their personal data, the requirement to disclose personal data in response to a lawful request by public authorities, the identity of the enforcement authority with jurisdiction over the organization’s compliance with the Privacy Shield, and the organization’s liability in cases of onward transfer of personal data to third parties." The purpose of many of these new requirements is to align Privacy Shield more closely with the upcoming European General Data Protection Regulation (GDPR).

Privacy Shield also introduces new redress mechanisms which include timescales by which U.S. companies must respond to complaints from EU citizens. If all else fails, Privacy Shield also requires that U.S. companies must commit to binding arbitration over any unresolved complaints.

Onward transfer of EU personal data is one of the big differences; and was an area key to the downfall of Safe Harbor. Privacy Shield now requires a written contract with all third parties that will receive EU data. "These obligations, triggered by transferring EU personal data to service providers, require active procurement service provider management, careful contracting and diligent oversight, all of which impose compliance costs on certified companies," notes McDermott Will & Emery.

It should be noted, however, that despite the additional rigors of the Privacy Shield, many European privacy activists do not believe it goes far enough. One of the biggest concerns is unfettered access to European data by U.S. law enforcement and intelligence agencies. While the US has delivered verbal assurances to the European Commission, activists believe that changes to US law are required. It is considered likely that Privacy Shield will be challenged in the European courts in the future.

In the meantime, Privacy Shield provides legal certainty to U.S. companies trading in and with the European Union. The biggest current danger is that U.S. companies might rush into self-certification without actually being compliant. Where this happens, it should also be noted that the DOC is expecting, and is expected, to play an active role in enforcing Privacy Shield.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.