The U.S. Department of Commerce has released the list of the first companies to self-certify under the Privacy Shield. A once-over of the list indicates mainly smaller companies across a spectrum of industries. Who are these firms and what made them dive in early?
One reason is that they were incentivized. Certifying early – by September 30 – means the companies will have a nine-month grace period to get their proverbial ducks in a row before facing scrutiny on their transfers to third parties. That is, "Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework’s effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield."
A Department of Commerce official speaking on background this week said there are currently 60 organizations who've self-certified and another 200 pending, and added the process is going essentially according to plan. Commerce hired additional staff in anticipation of a "rigorous review" process involving hundreds of companies, so they're not struggling to keep up, the official said.
Companies who self-certified immediately say the process wasn’t so far off from Safe Harbor; the responses from the International Trade Administration were swift. Plus, it was worth getting it done early for the competitive edge it gives them over those companies taking their time.
Kickbox is an email-verification service with one of its 15 employees based in London. It will use the Privacy Shield, as it used Safe Harbor, not only for the human resource data transferred from the EU to the U.S., but also for customers based in the EU “that in some cases were very adamant that we become compliant” and “kind of implied that if we didn’t, they wouldn’t be able to do business with us,” said Matt Gonzales, a compliance manager at Kickbox.
But, Gonzales said, even without the demand from existing customers, Kickbox has a history with data protection and privacy it wants to maintain. It sells itself on being the “only provider that requires opt-in compliance” from customers and turns away or terminates clients who purchase or scrape email data.
"At the end of the day, the thought in my mind is, ‘If I were a consumer reading this policy, what would I want to read?’ I think that’s probably the best way to approach it." -Matt Gonzales, Kickbox
“Given our background in privacy and security … moving into the Privacy Shield, once that became the new framework, we knew we had to get that completed,” he said.
“It was a little bit of added effort in that sense, but, it only took a few hours here and there as I could spare to get it done,” he said.
When necessary, Kickbox enlists the services of outside counsel, but in this case, “we found the requirements in Privacy Shield are generally best practice,” Gonzales said of the reason the company didn’t enlist counsel for the task. “I don’t know there’s anything being asked of us within the framework that requires hours of consulting time. We’re already best practice aligned so it was just very straight-forward.”
The International Trade Administration rep who served as Kickbox’s case manager was “super helpful and responsive” Gonzales said. In fact, within 48 hours of submitting its paperwork, Kickbox was notified of some corrections it needed to make.
"Ultimately, the devil’s in the details,” VeraSafe's Matt Jones, CIPP/US, said. "People aren’t talking about the need for subcontractors to demonstrate compliance, and that’s what the big difference is."
The circumstances surrounding VeraSafe’s Privacy Shield certification differ slightly from Kickbox’s, in that VeraSafe itself offers a program to help private entities comply with the Privacy Shield, among other compliance frameworks. It’s also set up as an independent dispute-resolution program for citizens who feel their data has been mistreated, provided the citizen wants to use a body other than the relevant EU DPA to settle the matter. Certifying under the Shield early, then, was essential.
VeraSafe performs a technical investigation of companies’ security controls and data governance, and redlines existing policies to come up with a compliance assessment report and a third-party verification. It offered the same service under Safe Harbor. Matt Jones, CIPP/US, says the biggest operational change, and challenge, is the obligation that covered entities under the Shield require their sub-processors to demonstrate compliance.
“Ultimately, the devil’s in the details,” Jones said. “People aren’t talking about the need for subcontractors to demonstrate compliance, and that’s what the big difference is.”
Clients of VeraSafe who will eventually use its compliance program are a bit skittish about certifying just yet for that reason, Jones said.
“It’s not that they aren’t committed to going through this process and upgrading their subcontracting relationships,” but they’re a bit surprised to see the requirements, he added.
For VeraSafe, it’s not a big problem, because it uses a small group of subcontractors. But that’s not the case for everyone. Even VeraSafe itself doesn’t quite have its ducks in a row in terms of gathering evidence that its subcontractors are compliant, but, that’s why it certified early and took advantage of the nine-month grace period.
“It will require some time,” he said. “It will require people to put some pressure on their vendors, some education for the community of cloud computing, and some patience."
The Commerce official said it was anticipated that the onward-transfer provisions would be complicated and time-consuming, thus, the nine-month grace period.
For Maribeth Minella, in-house attorney and de-facto compliance officer at World Travel, certifying under the Privacy Shield wasn’t a catch-all for data transfers. A U.S.-based company with 500 employees, World Travel had used Safe Harbor before it fell and then model clauses in the interim. While making clear her opinions are her own and not be construed as legal advice, Minella said the Shield is about achieving a high level of standards in general.
“In my opinion, it’s a competitive edge,” she said of the Shield. “We view [the Shield framework] as one more tool in our toolbox so we can be flexible and meet our clients' needs. If we have a client that comes forward and says, ‘Yes, the framework is satisfactory,’ we can do that. If a client comes forward and says, ‘I’m not sure, I really want to sign model clauses,’ we can do that.”
Minella, like Jones and Gonzales, found Privacy Shield certification to be similar to Safe Harbor.
“The difference is that I spent a lot of time making sure our new Privacy Shield policy was truly all-encompassing," she said. "I think that’s kind of the key to why we got in first and early. I had done a lot of legwork to what that policy needs to include, and not just the stuff the government made available on privacy.gov. I have gone all the way back to reading the Article 29 Working Party’s applicable opinions, and I had a very good understanding of what the European philosophy is, so our policy speaks to their data policy and not just to an American sense of data security and policy.”
Kickbox’s Gonzales said the challenge of being an early adopter was that there wasn’t any reference material, so it was hard to know in submitting the initial application whether Kickbox’s language would be sufficient.
“My general suggestions would be read the requirements at face value,” Gozales said. “What they want is a very concise and explicit statement from the organization saying they either subscribe to or will enforce these different requirements. At the end of the day, the thought in my mind is, ‘If I were a consumer reading this policy, what would I want to read?’ I think that’s probably the best way to approach it.”
If you want to comment on this post, you need to login.