A few dozen companies committed to upholding European Union law when handling its citizens’ data under the new Privacy Shield framework created by the U.S. Department of Commerce and European Commission. One of them is travel management company World Travel Inc. of Pennsylvania.
The framework may not be a permanent replacement for the Safe Harbor regime a European court dismantled last fall. World Travel views participation as a way to do right by clients. Hogg Robinson Group is finalizing an application on behalf of its offices in North America. However, not all TMCs see the need. American Express Global Business Travel and BCD Travel have no plans to take part. There are several ways to commit to legal protection of European personal data.
Regulators designed the Privacy Shield “to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce,” according to a Commerce department statement.
The self-certification program began taking on business signatories Aug. 1, after EC three weeks earlier deemed the framework adequate. Key components include a code of conduct, oversight and enforcement, an ombudsperson mechanism and other safeguards and limitations.
Participants must develop Privacy Shield-compliant privacy statements. They accept the possibility of U.S. regulatory enforcement and European investigation. The framework requires adherents to limit gathered personal information only to what’s relevant for the purpose. It necessitates redress measures.
According to a prepared statement, World Travel agreed to the framework “purposefully as an early adopter” to help assure multinational customers of its commitment to data privacy. The company also uses the EU model clauses and is certified in Payment Card Industry (PCI) Data Security Standards (DSS) and the AICPA’s Service Organization Controls (SOC). HRG officials mentioned PCI DSS and also the International Organization for Standardization’s 27001 information security standard.
Privacy comes up in “every” request for proposals from “savvy multinationals,” said World Travel Inc. executive vice president and corporate counsel Maribeth Minella. “It’s a litmus test. It’s not entirely clear whether the Privacy Shield is ‘the answer.’ We’ll have clients who say the Privacy Shield is great. Some clients will have different perspectives.”
According to BCD Travel EVP for technology, products and innovation Russ Howell, “We hold the view that it is still uncertain whether the Privacy Shield will present a reliable and long-term basis for data transfers from the EU to the U.S. Therefore, at this time, BCD Travel does not intend to certify under the Privacy Shield framework.”
BCD Travel is working with the European national Data Protection Authorities for approval to use binding corporate rules, a framework American Express Global Business Travel already uses. BCD also uses the model clauses, “robust” contractual clauses and “other data transfer and consent agreements.”
“We don’t plan to certify for Privacy Shield at this time, because the binding corporate rules we operate under provide for international transfers in a much stronger and, at this point, less uncertain way,” according to a GBT spokesperson. “Filing for Privacy Shield certification would at best duplicate the protections currently provided by the BCRs, and at worst could conflict with them.”
World Travel typically is pulling in customer data for business transacted by its partners in European nations. BCD, HRG and GBT have their own operations in both regions, and serve larger clients.
Charles Denyer is a Washington, D.C.-area cybersecurity expert and auditor with NDB Accountants & Consultants. He worked with World Travel on PCI compliance and other matters. Denyer said that relative to a general program like the Privacy Shield, applying for BCRs is more granular and exhaustive. The requirements are more stringent. BCRs are reviewed by each EU Data Protection Authority. As such, it’s more an option for large multinationals.
Concern For Legal Challenges
EC’s endorsement of the Privacy Shield is subject to review by the member nations’ DPAs. They said they would not challenge the framework for at least a year. In the meantime, privacy advocates could claim that it does not fully protect European citizens from surveillance by U.S. public entities. Experts are blaming legal uncertainty for weak initial support.
Denyer was skeptical of the skeptics. The Privacy Shield process, he said, is very similar to that of Safe Harbor. “They both revolve around policies, procedures and processes,” he said. “The problem with Safe Harbor was it was somewhat vague in its interpretation. This has more clarity on safeguards, and clearer guidelines in the documentation. If anything, the process is now more streamlined.”
He does question the whole notion of self-certification, which privacy advocates also attack.
BCD noted that it also plans to comply with EC’s General Data Protection Regulation (GDPR) enacted in April, “which we believe will be more impactful than the Privacy Shield.”
GDPR takes effect in 2018. Until then, World Travel’s Minella acknowledged, the Privacy Shield could be a placeholder.
“The driver of complexity is there are so many applicable laws out there,” said Minella. “To meet the highest standards is a lot of work, but it’s a good exercise. For any company thinking seriously about data security, it makes sense. To me, it’s a riskier proposition to do nothing. You need to be able to put something in front of the client, and if you can’t, you end up having to explain yourself.”
More than 4,000 companies had self-certified under the defunct Safe Harbor program.
Additional info: Minella said her opinions do not represent company positions and should not be construed as legal advice.