News Archives

Wednesday, August 17, 2016

Slow Take-up for Privacy Shield Unlikely to Last

During the first 15 days that the Privacy Shield self-certification process was open for submissions, only 40 companies were placed on the list by the Department of Commerce, although the DOC announced that it was reviewing another 200 or so filings.  A review of the certifications conducted a few days ago showed that the only well-known companies on the list were Microsoft, Salesforce and Workday, with the balance appearing to be small niche-oriented firms.  At the present time, however, navigation past the handful of companies appearing on the first page of the list is unavailable, possibly due to traffic overload or other technical problems or disruptions. 

The take-up for the Safe Harbor framework was also slow back in 2000, much slower in fact, but back then companies were still discovering that they had compliance obligations under the EU Data Protection Directive and the program was quite novel, with considerable uncertainty attached to it.   These conditions don’t apply today, but there are new inhibiting factors at play:  (a) a gap of some nine months since the Safe Harbor adequacy decision was invalidated by the Court of Justice of the European Union, forcing many companies to switch to and settle into other transfer mechanisms, such as model contracts; and (b) continuing uncertainty about whether Privacy Shield will withstand the legal challenges likely to be brought against it by citizens or DPAs such as Hamburg's Johannes Caspar.   Nevertheless, Privacy Shield remains the only game in town for a large number of companies, making it very likely that the number of participants will swell, even if the mechanism proves to be only a temporary solution.  According to an August 16 press release, TRUSTe is working with over 500 companies to assess and verify compliance with the new requirements for Privacy Shied.

Increased numbers of submissions can be expected by September 30, the last day to take advantage of an official grace period to bring contractual relationships with third parties into alignment with Privacy Shield requirements.  However unfair and unjustifiable this grace period may be, companies submitting certifications after that date will have to attest that they have such relationships in order as of the date of filing.  

No comments:

Post a Comment