ASG is now part of Rocket Software! Please visit to learn more. Follow our journey
Blog > July 2018 > Protected by the (Not-So) Secure Privacy Shield?

Protected by the (Not-So) Secure Privacy Shield?

The 3,100 U.S. organizations that thought their business dealings with the EU were protected by the EU-U.S. Privacy Shield program might want to take another look at GDPR compliance measures. Transfers of personal data may not be as risk-free as they thought.
On July 5, 2018, the European Parliament passed a (fortunately non-binding) resolution in which the European Commission suspends its EU-U.S. Privacy Shield unless the U.S. administration introduces adequate data protection safeguards by September 1, 2018. The Privacy Shield agreement aims to facilitate transfers of EU personal data to the United States, and if it is broken, there is a risk that those companies that depend on personal data transfer will have to face legal questioning. Once again, the question has to be asked: Wouldn’t it be better for companies to establish policies and processes to be GDPR compliant — including establishing full inventory and traceability of personal data — rather than wait for further, inevitable regulation to come along? Anyone bypassing the data intelligence challenge because “we’re covered by the Privacy Shield” may be placing a risky bet: EU parliamentarians (MEPs) aren’t satisfied with the Privacy Shield, for a few reasons.

gdpr-3518254-1920.jpgFirst, they don’t trust that companies registered under the Shield are doing all they should to ensure data privacy. Facebook and Cambridge Analytica were both registered, and as we know, Facebook has just been slapped with a £500,000 ($663,000) fine — the maximum fine available, as the offense predated GDPR activation. The MEPs want Privacy Shield protection removed from companies that misuse personal data and for the U.S. to act swiftly to discipline them.
The second issue concerning MEPs is that the U.S. is, at best, moving slowly to meet the requirements that countries with special data sharing arrangements like the GDPR must have, such as independent bodies to monitor how Europeans’ data is used to ensure compliance once it leaves the E.U. Currently there is a U.S. Privacy Civil Liberties Oversight Board, but the appointment of members has been slow, and there is no permanent Ombudsman to chair the Board.
The final issue (for now) calling the Privacy Shield into question for MEPs is the recent U.S. adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), that grants the U.S. and foreign police access to personal data across borders. MEPs point out that the U.S. law could have serious implications for the E.U. and could conflict with E.U. data protection laws.
The bottom line is that the Privacy Shield is vulnerable. Businesses relying on it to protect their dealings with E.U. residents would be smart to back their bet with a solid foundation for managing private data — implementing a solution that provides data governance, understanding, traceability and reporting to ensure transparent, compliant transfers of data worldwide.
To learn how ASG’s Enterprise Data Intelligence solution can buttress companies’ data security and compliance regardless of EU-U.S. Privacy Shield protection, and provide the platform for data governance and monetization, check out our solutions page. For more information on how ASG is addressing tightening regulatory landscape, read this release.
Posted: 7/17/2018 8:08:24 AM by Ian Rowlands
Filed under :Data, EU, GDPR, Intelligence, Privacy, Shield