U.S. Companies Slow to Adopt European Data Transfer Agreement
Uncertainty remains that the terms will survive legal tests in the EU
Microsoft said it applied for Privacy Shield certification. Other U.S. companies have been slow to sign on to the new international data-transfer agreement.
By DANA HEIDE
Aug. 14, 2016 1:44 p.m. ET
U.S. companies have been slow to sign on to a new international data-transfer agreement with the European Union for reasons that include uncertainty that the terms will survive legal tests in the EU, experts said.
The agreement, called Privacy Shield, allows businesses to transfer personal data on European citizens to the U.S. About 40 companies have been certified under the new rules since Aug. 1, when the U.S. Department of Commerce began accepting applications, the agency said on Friday.
“Many American companies are waiting to see if the Privacy Shield survives an expected challenge by privacy advocates in the European courts,” said Jay Cline, who heads cybersecurity and privacy at PwC, an international consultancy. “So we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.”
Some companies still need to implement new measures to comply with the new system, such as updating privacy policies with information about where customers can address complaints. Many firms waited until the EU formally published the new mechanism’s documents in mid-July before beginning to implement the new requirements, company representatives said.
Other companies are evaluating whether the new agreement offers advantages over alternative approaches to complying with European data protection laws, experts say. Alternatives include so-called model clauses—standardized data-protection language preapproved for addition to contracts with customers—and binding corporate policies approved by the EU.
More than 4,000 U.S. companies had been certified under the previous, less robust agreement, known as Safe Harbor, before it was invalidated by the European Court of Justice last year in the wake of Edward Snowden’s revelation of U.S. surveillance programs.
Microsoft applied for Privacy Shield certification on the first day applications were accepted, the company said. The Redmond, Wash., software giant said it implemented both Privacy Shield principles and model clauses. The combination strengthened Microsoft’s competitive position, said John Frank, Microsoft’s vice president for EU Government Affairs.
“European privacy protections are important to European citizens and organizations. We offer EU-approved Model Clauses and we have signed onto the Privacy Shield rules so that we can offer our customers strong data protection standards,” Mr. Frank said.
Amazon.com Inc. competes directly with Microsoft in cloud infrastructure services—the reason for much of Microsoft’s data transfer activity—yet it hasn’t yet applied for Privacy Shield certification.
“The new EU-US Privacy Shield does not impact AWS customers” because the company maintains data centers in several countries where its customers can store their data, and that it also uses model clauses, wrote Stephen Schmidt, vice president of security engineering and chief information security officer of Amazon Web Services, in a recent blog post. Amazon nonetheless planned to apply for Privacy Shield certification, he added.
Experts say Privacy Shield certification is likely to help companies compete with rivals.
“When Safe Harbor was still in place, we saw that companies who were part of it had a competitive advantage in competitive bids over companies who used model clauses. I think we will see the same with Privacy Shield,” Mr. Cline said.
BSA, a software industry organization dedicated to international trade, expects Privacy Shield eventually to be adopted as widely as its predecessor.
“We expect that at least the 4,000 companies who applied for Safe Harbor will apply for the new mechanism as well,” said Thomas Boué, an expert on privacy issues at BSA.
A study by the Future of Privacy Forum, a think-tank based in Washington, D.C., said the Safe Harbor agreement got off to a slow start when it launched in 2000. Some commentators blamed the delay on companies wanting to gauge the consequences of abstaining, the report said. Others blamed bureaucracy.
Despite the new agreement, the rules that govern handling of data on European citizens remain unsettled. Both Privacy Shield and model clauses are likely to be examined by the European Court of Justice, and Christian Schefold, an expert in data protection and compliance at the international law firm Dentons, expects model clauses to fail the test.
As for Privacy Shield, the European Commission has said it was confident it would withstand legal challenges.
The annual fee for Privacy Shield certification depends on the size of the company and can cost up to $3,250. The application process usually takes from several weeks to six months, experts said.
—Natalia Drozdiak contributed to this article.
Write to Dana Heide at firstname.lastname@example.org