Compliance and surveillance
With the number of Privacy Shield companies still lagging behind those that used Safe Harbor, this could indicate that Privacy Shield is more difficult to comply with, added Elodie Dowling, corporate vice president and general counsel for Europe, the Middle East, and Africa at BMC Software.
In addition to the legal challenges, some EU data privacy regulators have suggested that Privacy Shield "does not do enough to curtail U.S. surveillance," Dowling added. EU privacy regulators will review the agreement in 2017.
The legal challenges may be only beginning, she added. Max Schrems, the Austrian man who led the fight against Safe Harbor, has questioned how 500 companies received certification in the first month Privacy Shield was available.
"This is undoubtedly showing that there are serious concerns around ... Privacy Shield and its ability to indeed protect EU citizen’s fundamental right of privacy when their personal data is being transferred to the U.S.," Dowling said.
BMC has not yet signed up for Privacy Shield, instead deciding to "rely on another mechanism to safely and legally transfer personal data outside of the EU anywhere in the world" -- through binding corporate rules.
For Privacy Shield to succeed, it needs support from the EU, including the data protection authorities in each member state, added David Hoffman, Intel's associate general counsel and global privacy officer.
Intel supports the new agreement but wants to keep other mechanisms, such as binding corporate rules, in place as well, he said.
If data transfers are between subsidiaries of the same company, companies can use binding corporate rules to define the data responsibilities. As an alternative to Privacy Shield, companies can protect external transfers through model contract clauses restricting what the receiving company may do with the data.
But companies are concerned about the future of those alternate data transfer methods as well, Hoffman said. While Privacy Shield and alternative transfer methods are in place for now, the future is uncertain.
"Some of the same arguments about Safe Harbor and Privacy Shield can be made about alternative transfer methods," he said. "If there are concerns about law enforcement and national security agencies accessing information, then there would be the same concerns about alternative methods because those agencies can also access it when it's transferred by other means."
Sign up for Computerworld eNewsletters.