2016 Sep 08
A survey shows multinational companies remain wary of a new international data-transfer agreement between the United States and the European Union, and many are relying on contract provisions that could be invalidated by Europe’s highest court. The survey of 600 privacy professionals, conducted in June and July, found only about one-third say they plan to use the agreement, known as Privacy Shield, which allows businesses to transfer personal data on European citizens to the United States. The European Commission says 103 companies have been certified under Privacy Shield since the U.S. Commerce Department began accepting applications, and the Commerce Department is reviewing the privacy policies of 190 other companies. By comparison, more than 4,000 firms had been certified under an earlier agreement, known as Safe Harbor, before it was invalidated by the European Court of Justice last year.
In the survey, by the International Association of Privacy Professionals and consulting firm EY, 81 percent of respondents said they are relying on model contract clauses approved by the European Union to transfer personal data on EU citizens. But those clauses are considered likely to be invalidated by the European Court of Justice, which would again expose companies to sanctions for moving data improperly. Legal experts say the model clauses are on shaky legal ground because they do not adequately restrict the access of U.S. authorities to data of European citizens. The court used similar reasoning in striking down Safe Harbor. Legal experts offered several reasons why companies are not embracing Privacy Shield, including the possibility that it, too, will be invalidated. Another reason companies may be holding off is that another set of rules, known as the General Data Protection Regulation (GDPR), is scheduled to take effect in May 2018, meaning the Privacy Shield regime may have a limited lifespan. The GDPR rules are much broader, including, for example, the so-called right to be forgotten that forces companies to delete personal data of European citizens upon request. In the survey, 89 percent of respondents said they are taking steps to comply with the GDPR rules, reports the Wall Street Journal (7 September, Heide).
From “Multinational Companies Wary of Transatlantic Data-Transfer Agreement”
Abstract News © 2016 Information, Inc.