The adoption of Privacy Shield by US and EU regulatory authorities, the successor to Safe Harbor that has governed the transfer of personal data between the US, Canada and the EU for over a decade, has come as an anti-climax, leaving plenty of uncertainty in its wake. The biggest sticking point for EU privacy advocates remains whether US companies can guarantee that they can, in fact, shield EU citizen data from US federal data collection protections. But differences in how EU regulators want US organizations to treat their citizens’ data could also translate into more rigorous requirements for meeting the agreement’s principles.
Compliance with Privacy Shield, like many regulations focused on data flows, is based today on self-certification and self-assessment based on agreement principles. But why are we still relying on “I’m good for it” as a way to prove compliance? In an age of big data and distributed infrastructure, confirming data flows should be done through data intelligence, and not statements of good intention.
Making Data Privacy, Data Driven
Self certification around data movement has an obvious problem when it comes to compliance: how do you know where the data’s been or where it’s going with any certainty if you’re not tracking it. Even well-intentioned audits can only reveal so much when they only rely on fallible human interviews and surveys. Compliance is meant to be an exact test of conformance not a fuzzy measure of best effort. In the case of Privacy Shield, self certification creates the secondary problem that the agreement will inevitable face legal challenge in the EU’s Court of Justice and will at some point will more than likely revised. That begs the question for an organization: how do you confidently certify compliance today, tomorrow and in future even as the metric may change.
The US Department of Commerce (the certification authority for US organizations) now has the power to monitor and actively verify that privacy policies are in line with the relevant Privacy Shield principles — but not the actual data processing and data management practices in place that should conform to the policies. Also, as part of the revision to Privacy Shield, the Commerce Department can initiate reviews and require participating organizations to “respond promptly” to investigation requests.
Certifying that organizations are complying with a Privacy regulation in general and Privacy Shield specifically will have to evolve from trust to verify. Organizations already monitor and track all sorts of data inside the organization, but as of today, personal data is not one of those assets. This becomes more problematic when you consider the full scope of Privacy Shield.
While protecting EU citizen data from being caught up in the dragnet of US surveillance remains the major concern of Privacy Shield, the current agreement also incorporates a “purpose” limitation principle — proving that data is processed only for the purposes to which users consented to. Privacy Shield’s antecedent provided no restrictions in how EU citizen data could be used in the US. That is no longer the case. Now, the agreement provides for limitation of use, retention and other data processing restrictions. But without an exact mechanism for verification there is little proof of compliance that can be provided beyond one’s word. EU citizens must rely on US organizations asserting they conform without data proof.
All political wrangling aside, what is clear from Privacy Shield is that data transfers across the Atlantic (and post Brexit potentially across the English Channel) are going to be subject to a greater level of scrutiny going forward. However the basis of proof used to attest compliance remains stuck in a period that predates computers let alone modern data analysis. When it comes to personal data, Privacy Shield certification is far from data driven. It’s all trust and no verify.
Bringing Data Mapping Into the Era of GPS
There is a range of opinions on how organizations will respond when the self certification process re-opens on August 1. Some observers believe that with so much uncertainty looming, many will hold off on self certification. Others argue that because self-certification means organizations can legally engage in transatlantic data transfers under a single umbrella agreement rather than implementing contractual clauses with individual data partners, many will jump at the opportunity.
In either outcome, however, organizations that manage and process personal data from EU citizens will have to be more systematic about understanding not only whose data they have (and how much of it they have), but also how that personal data moves through their infrastructure and which third parties have access. Regardless of whether self certification does survive the next legal challenge, data driven, quantitative data mapping will emerge as a key requirement for meeting the new principles of Privacy Shield specifically but also the general principle of responsible personal data protection and privacy for all corporate custodians of consumer data.
Today we live in an era of advanced data analysis and worldwide global positioning. There is no reason to rely on Christopher Columbus era data flow cartography to measure how information moves between companies or countries.