The impact of the U.S.-European Union Privacy Shield on companies' compliance with the separate EU General Data Protection Regulation -- taking effect on May 25 -- continues to be a matter of debate and speculation among corporate security professionals and attorneys as GDPR implementation nears.
“Saying that Privacy Shield equals GDPR compliance is overly optimistic,” said John Holmes, general counsel of the security firm Forcepoint. “If you get Privacy Shield certification, that puts you ahead of the curve, but you're not there yet.”
The Federal Trade Commission points out that Privacy Shield is not intended to be a GDPR compliance mechanism.
But U.S. officials have stressed in recent weeks the Trump administration's commitment to Privacy Shield as the foundation for addressing U.S.-EU privacy and security issues related to data exchanges between the jurisdictions.
National Economic Council official Gail Slater, at an April U.S. Chamber of Commerce event, agreed that GDPR is a “real concern” for U.S. business but suggested that it should be viewed “in terms of Privacy Shield” commitments that companies have already made.
Although she didn't elaborate, that could imply that cybersecurity and privacy conduct and practices that go into gaining Privacy Shield certification would put a company in good position to meet GDPR requirements. U.S. officials could not be reached for comment for this story.
Over 2,800 U.S. companies have obtained Privacy Shield certification, according to a list kept by the U.S. government. Privacy Shield was adopted by the U.S. and EU in 2016 to replace the Clinton-era “Safe Harbor” arrangement. The European Court of Justice -- in the aftermath of the Edward Snowden leaks on U.S. surveillance activities -- found Safe Harbor to be inadequate to protect the personal information of European citizens.
“The U.S. government has a strong interest in portraying Privacy Shield as being as strong and effective as possible, they wouldn't want to say, 'but there are a whole lot of other things you'll need to do under GDPR,'” the attorney said. “There's a fine line between being an advocate for Privacy Shield and being realistic about GDPR requirements.”
The attorney said neither document provides much in the way of details, providing “both flexibility and uncertainty” and leaving open questions such as what constitutes “reasonable” security efforts.
Further, “Privacy Shield isn't an indication you are compliant with GDPR, which has numerous requirements that don't have anything to do with Privacy Shield,” the attorney said.
This source cited areas like privacy-by-design, privacy default requirements and right-to-be-forgotten rules and said, “There is uncertainty over whether Privacy Shield requires the same kind of things."
Guidance on GDPR's requirements will come from the European side, the attorney said, including from the European Data Protection Board that comes into effect on May 25.
“Maybe the most effective role the U.S. government can play is to focus on Privacy Shield, help companies comply and put in place things like privacy oversight boards -- things under our control,” the attorney said. “That doesn't really help in gaining certainty on what GDPR means, but it keeps the Privacy Shield process and dialogue with the EU alive, and that's important.”
GDPR carries 'significant costs'
Security professionals interviewed by Inside Cybersecurity warned against overestimating how far companies' efforts to gain Privacy Shield certification will get them in terms of complying with the separate GDPR regime. The two structures overlap in some areas, but GDPR addresses a much broader range of issues, sources noted.
Forcepoint's Holmes said there would a “significant cost factor” to complying with GDPR, requiring “additional tools and resources” beyond what U.S. companies have devoted toward Privacy Shield certification.
He noted that there is no “compliance mechanism” so far for GDPR, but that it does mandate steps such as performing a privacy impact assessment when a company sets up a security program to address insider threats, for example. Forcepoint's services for addressing both accidental and intentional insider threats are designed to be GDPR-compliant, Holmes said.
“The GDPR provides some guidance but it defers on specifics,” Holmes said, adding that “it's going to take years for the GDPR to find the proper balance of interests. We'll need to see enforcement actions and guidances to see how regulators will define these balances,” he said.
“We're guessing a little bit right now,” according to Holmes. But pointing to the recent Capitol Hill appearances by Facebook CEO Mark Zuckerberg, Holmes predicted “we're going to see more GDPR-type regimes across the world.” In the U.S., he suggested this would likely translate into “piecemeal” policy development in areas like breach notification.
Holmes cited open questions such as how EU authorities would interpret requirements for “reasonable” and “proportional” security efforts, saying, “We need guidance on what that means.”
He also noted the liability protections in the Cybersecurity Act of 2015 and asked whether the new EU standard would raise any conflicts with that U.S. law, which was designed to encourage information sharing.
“Customers have a lot of questions about GDPR requirements, but it's unclear where the guidance will come from on best practices,” he said, saying the FTC, National Institute of Standards and Technology and Department of Homeland Security all could have roles.
A recent survey by the information technology trade association CompTIA found that U.S companies were largely unfamiliar with the requirements they could face under GDPR. -- Charlie Mitchell (firstname.lastname@example.org)