This is a new development, and assuming it is carried through in practice, it answers one of the main criticisms about Privacy Shield – its lack of enforcement. It also marks a notable change for the 4,000-odd companies registered with them.
Previously, Privacy Shield has been viewed by many as a tick box exercise. Companies would simply upload their privacy policies, pay a fee and then be self-certified. No third party had to be involved to verify the policies or their performance. Clearly, this was hardly robust.
If companies will now need to demonstrate compliance to the requirements of Privacy Shield, and by extension, create and follow more robust privacy policies and procedures, then for many this will result in a marked increase in effort to protect EU citizens’ data.
There may still not be the threat of financial fines, but active statements of enforcement are a marked improvement on the past. Revocation of certifications will most likely depend on complaints and whistleblowing, and it is true that the Federal Trade Commission has in two years only received four complaints of companies’ false or lapsed compliance. But GDPR and other national privacy legislation has heightened society’s and companies’ scrutiny of how data is collected, shared and used, meaning more objections are likely, in turn making the possession or loss of the certification more important.
We may well see revoked certifications having dramatic commercial impacts on those companies whose ability to tender for, or continue to hold, certain contracts depend on them holding that certification. For a few, that revocation may even be more dangerous than the fines possible under GDPR, and we all saw how those potential penalties spurred the global business world into action.
Of course, we have to wait and see what actually happens. Privacy Shield will most likely live to see another day, or year. The above warning will lead to either a serious change in how Privacy Shield operates and companies treat it, or the criticism of “toothlessness” will continue. The imminent report will reveal all, but it certainly appears that the wheels are in motion to require companies to go to a great deal more effort with Privacy Shield than they have before.