Privacy Shield is Dead, Long Live Privacy Shield!

Published on 10th June 2021 Author: Rob Black

The European Court of Justice struck down Privacy Shield last July, but the much-maligned privacy program shambles onward like a regulatory zombie. Except this zombie wants to eat time and paperwork instead of brains.

Let me explain.

First, some Privacy Shield context.

A quick recap on Privacy Shield, and why it matters.

Privacy Shield is/was (it’s complicated) an intergovernmental regulatory framework agreed upon between the European Union, Switzerland and the United States, created in July 2016. Privacy Shield was created because the EU and Switzerland have vastly different (generally more protective) privacy laws than the US. US companies providing services and collecting data from EU and Swiss citizens need to comply with their laws. Privacy Shield provides a framework to help companies be compliant.

Privacy Shield is administered by the US Department of Commerce, and companies wishing to become Privacy Shield certified pay a fee and submit evidence proving their compliance.

And what happened to it?

In July 2020, the Court of Justice of the European Union (roughly the equivalent of the US Supreme Court) struck down Privacy Shield for not providing enough protection to European citizens. A few months later, the Swiss government also decided Privacy Shield was inadequate.

In literal terms, Privacy Shield is dead – no longer legal among two of the three agreeing parties. However, Privacy Shield is still being administered by the US Department of Commerce. Companies can continue to recertify for Privacy Shield or even enroll for the first time. (Note – do NOT enroll in Privacy Shield for the first time)

Also, there’s the matter of the thousands and thousands of companies with existing privacy programs built to be Privacy Shield compliant. What should those companies do now?

Privacy Shield Shambles On

A client recently asked us if they should renew their Privacy Shield, including paying the fee.

The gut response to this is “Of course NOT! It’s a dead framework! Why pay to keep compliant with a dead program?”

Well, Privacy Shield isn’t dead, remember? It’s a time and paperwork-consuming zombie.

We learned that a little too late though.

Privacy Shield, like many government programs that have outgrown their usefulness, has un-enrollment paperwork. So we filled that out.

Then, we realized that the client’s privacy policy had Privacy Shield baked in like carrots in a carrot cake. So we edited out Privacy Shield and re-posted their privacy policy.

It took a lot more work, time, and money than is warranted for a dead program. It turns out it might be cheaper and faster to just recertify with Privacy Shield and move on (at least until a new intergovernmental data regulatory framework is created).

If you do want to unenroll from Privacy Shield…

Follow these steps:

Edit your privacy policy, make sure it’s still compliant with recent EU and Switzerland privacy regulations.
If the changes to your privacy policy are substantial, you will need to notify your customers before the changes go into effect.
Unenroll from Privacy Shield.
Fill out the unenrollment paperwork.
Publish your updated privacy policy.

These steps are ordered a little differently from how we first approached this problem but should make it easier. You can learn from our mistakes!

One last important note – you of course must comply with European Union, UK and Swiss law if you’re doing business with those countries! The GDPR is still very much alive and kicking. You need to use Standard Contractual Clauses (SCC) to handle data transfer between these countries.

But who knows how long it will take for the last vestiges of Privacy Shield to be removed from the last company’s Privacy Policy, if ever? How much longer will the US Department of Commerce continue running this doomed program?

I wish we knew.

Privacy Shield is dead, long live Privacy Shield!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Want to learn more about what we do? Check out our Virtual CISO Services!

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).