A European Union commissioner said Friday that the first annual review of the Privacy Shield data protection framework would take place in September, supporting optimism for the scheme’s prospects. Uncertainty had been brewing as the European Commission threatened it would dismantle the program without reassurances by the Trump administration.
The review “will be an important milestone where we need to check that everything is in place and working well,” said European Commissioner for Justice, Consumers and Gender Equality Věra Jourová during a Friday appearance at the Center for Strategic & International Studies. “This first review will be crucial to continuing this mechanism. We need to cover several important topics. One will be whether or not there are positive or negative changes in the American legislation.”
Jourová had previously tweeted optimistic comments about talks this week with U.S. officials on the framework. Yet, a Commerce Department press official on Friday morning said any statement about the outcome of talks was “kind of up in the air at the moment.” By Friday afternoon, an official said Commerce would not be commenting on the situation.
Even if the Privacy Shield survives the new U.S. presidency, it could be impacted by legal challenges in Europe.
Nearly 2,000 U.S. companies are participating in the Privacy Shield framework. The self-certification program counts several U.S. travel management companies and other industry providers as signatories. It lays out protocols related to transfers of personal data on European citizens to the United States. Without it, companies may need to comply with the regulations of each individual country from which they export data.
“If they were to repeal Privacy Shield, it puts more friction into doing deals,” said Oversight Systems CEO Patrick Taylor. “Laws of different countries force clients to behave in different ways. They have to comply with that and that then forces that on me.”
An expense fraud detection company, Oversight in December announced its certification under the framework. World Travel Inc. was the first travel management company to join, followed by others including FCM, Omega World Travel, Ovation Travel Group and Travel and Transport.
“We’ve always viewed Privacy Shield as a tool in the toolbox that we can use to facilitate cross-border data transfers,” according to World Travel Inc. EVP and corporate counsel Maribeth Minella. “If Privacy Shield does not work for a client — now or later — our alternative is always to put in place a secure data transfer that meets applicable laws, rules and/or regulations. There are many moving parts connected to cross-border transfers that range from different requirements from country to country, the upcoming General Data Protection Regulation, Brexit, etc. The key for any business is to stay informed and be able to put in practice, quickly, administrative and technical solutions that meet a client’s needs.”
Other companies including American Express Global Business Travel and BCD Travel have said all along they would use other means.
According to BCD Travel EVP for technology, products and innovation Russell Howell, the TMC’s U.S. operating company “decided last year to not certify under the Privacy Shield, the replacement to the U.S. Safe Harbor Framework that was declared invalid in October 2015. Instead, we are pursuing Binding Corporate Rules, Model Clauses and other more highly regarded mechanisms used to transfer personal data between the European Union, U.K. and the U.S. It appears we made the right decision given current concerns over whether … Privacy Shield will survive as a long-term solution in the European Union and the U.K.”
Model clauses are “doable but it’s just much more painful” than a broad program like Privacy Shield, according to Taylor.
“Information security has made business harder,” he said. “If we wonder why productivity numbers don’t go up more, I could argue all the time we spend on security is decreasing productivity. But you can’t not do it. The threats are very real. Our network is probed by potential hackers regularly.”
Of course, self-certification and the other commitments do not in themselves protect personal data. Taylor said Oversight doesn’t house personally identifiable information, but “we act like we do.”
The company employs data-protection best practices from storing only the data it needs to employing firewalls, encryption, intrusion detection systems, third-party tests and regular software updates. Only those who need to see data to do their jobs have access to it.