How much have you thought about your information and who is sharing it...

I wanted to share this article by Amon Cohen, published on The Beat on August 17, 2016.

Yes the content isn't mine, but I think it is super important for me to share this with you as the information travel companies hold on you is so important and so personal. I mean not only do they know where you are at specific points in time (i.e. London airport - boarding XXYY flight) but also very personal information (i.e. emergency contact).

I have to say that I am very proud to work for a company that takes this information seriously and is careful about it being kept and transfered. "Binding Corporate Rules we operate under provide for international transfers in a much stronger and, at this point, less uncertain way" Quoting from Kasey Chappelle, American Express Global Business Travel Chief Privacy Officer and Vice President for Commercial Compliance statement in the article.

I never really though about this until I recently encountered information about a friend who had a personal investigator following them. Knowing that my friends and family are safe is very important to me. However someone looking for them for arterial motives does not impress me at all.

Privacy and data protection is becoming more important as we begin to share and rely on the cloud for information, and why I felt it was important to share this article.

A big thank you to The Beat for publishing it.

U.S. Corporate Travel Players Weigh Options For Complying With EU Data Protection Rules

The Beat, Amon Cohen, August 17, 2016

https://www.thebeat.travel/post/2016/08/17/US-Corporate-Travel-Players-Weigh-Options-For-Complying-With-EU-Data-Protection-Rules.aspx

Keeping compliant with the European Union's tough personal data privacy laws used to be straightforward. The EU exercises stricter data privacy laws than the United States. That's why it also has rules ensuring that transfers of data about its citizens across the Atlantic must comply with its more stringent standards. Meanwhile, many of the corporate travel industry's dominant service providers, and thus their primary data servers, are based in the United States. They import data about individuals—including names, employers, where the employees travel and credit card details—from Europe on a daily basis, and under a framework called Safe Harbor, U.S. companies could declare they transferred data in a compliant manner.

But it was hard to check whether they really were following the rules, and Safe Harbor died in October 2015 when the European Court of Justice invalidated the framework because of that lack of oversight. The ruling also questioned whether any transfer of data to the United States could be considered compliant because Edward Snowden's 2013 revelations made it clear the U.S. government has routine access to corporate electronic records.

In July 2016, though, the European Commission approved a successor to Safe Harbor called Privacy Shield. It gives EU member states' data-privacy authorities the oversight Safe Harbor lacked over U.S. companies that commit to it. Privacy Shield also offers firmer limits on U.S. government access to data and makes the commitments given by companies that sign up enforceable under U.S. law.

One name from the travel sector, World Travel, appeared on the debut list of 35 companies self-certifying for Privacy Shield this week. But is that the best way for United States-based service providers to meet European data requirements? The jury is out.

There are at least two other options for transferring data, both of which have become more prevalent since the European Court of Justice decision. One is inserting model, or standard, contractual clauses, into contracts to guarantee that service providers treat transferred data in compliance with the EU Data Protection Directive. The other is Binding Corporate Rules. According to a statement from Kasey Chappelle, American Express Global Business Travel chief privacy officer and vice president for commercial compliance, this option requires "companies to gain the approval of all relevant EU data protection authorities for a set of binding internal rules governing how data will be collected, processed, used and shared, ensuring adequate protections no matter where in the corporate family the information is transferred."

Leading United States-based service providers delivered different answers about how they're handling data, and some companies simply don't want to discuss Privacy Shield. Carlson Wagonlit Travel declined to comment. Concur did not respond. Sabre and Travelport ducked questions about Privacy Shield, but Sabre said it remains "compliant with EU data protection requirements, including, among other things, our use of model clauses where appropriate." Travelport favors the same route. "Travelport's data transfers from the [European Economic Area] to the United States are conducted under the EU model contracts," it commented. "These model contracts establish a data-transfer mechanism recognized by the European Commission as complying with EU law."

Two companies willing to put their heads above the parapet were Amex GBT and BCD Travel. Both expressed skepticism about Privacy Shield and retain their faith in alternative mechanisms. "We don't plan to certify for Privacy Shield at this time because the Binding Corporate Rules we operate under provide for international transfers in a much stronger and, at this point, less uncertain way," according to Chappelle's statement. "We're the only TMC to operate under Binding Corporate Rules, which applies more broadly and currently enjoys more legal certainty. Unlike Privacy Shield, Binding Corporate Rules are reviewed and approved by each relevant EU data protection authority. Filing for Privacy Shield certification would at best duplicate the protections currently provided by the BCRs, and at worst could conflict with them."

She added: "We're already starting to hear about planned legal challenges [to Privacy Shield] and questions from data protection authorities. I wouldn't advise dispensing with backup transfer mechanisms just yet, given the amount of uncertainty around its validity," said Chappelle.

Taking a similar line, BCD Travel executive vice president for technology, products and innovation Russ Howell said: "After careful review of the EU-U.S. Privacy Shield, we hold the view that it is still uncertain whether it will present a reliable and long-term basis for data transfers from the EU to the US. Therefore, at this time, BCD Travel does not intend to certify under the Privacy Shield Framework."

BCD is obtaining Binding Corporate Rules approvals from EU data protection authorities, a process which takes more than 12 months. Howell said: "Our overall data protection strategy will be to continue to rely on the following key data transfer mechanisms since Safe Harbor was invalidated: Binding Corporate Rules, model clauses, robust contractual clauses, and other data transfer and consent agreements. We will also comply with the new General Data Protection Regulation enacted in April, which we believe will be more impactful than the Privacy Shield." The regulation, which particularly favors Binding Corporate Rules for data transfers to locations outside the EU, will apply starting May 25, 2018, and is a more robust successor to the European Data Protection Directive. Fines for non-compliance will be up to €20 million or 4 percent of annual worldwide turnover.

Other corporate travel figures believe Privacy Shield is the way to go. While agreeing "there is still some legal uncertainty about it," Hans-Ingo Biehl, executive director of German travel buyers association VDR told The Beat: "Our legal adviser is telling us that every corporate which has partners that transfer data to the United States must check whether transfers are taking place and make sure they are handled under Privacy Shield in the future. If they don't do that, they should not be allowed to transfer to the United States. It is still unclear if Binding Corprate Rules or model contractual clauses will continue to be accepted. Everyone is waiting for the Article 29 group to comment on this."

The influential Article 29 Working Party represents national data protection authorities. Its most recent public utterance on United States-bound data transfers, made on July 26, listed several grievances about Privacy Shield and warned: "The first ... annual review [in July 2017] ... will be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed." The statement added that the same review "may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses." 

Biehl added that the most reliable solution would be for service providers to store their data in Europe, especially following a U.S. appeals court decision on July 14 that barred the U.S. government from compelling Microsoft to hand over email stored in an EU country, in this case, Ireland.

World Travel is offering customers a choice among Privacy Shield, model contractual clauses and, if neither is appropriate, customized contractual language. Sharing her opinion with The Beat, World Travel executive vice president and corporate counsel Maribeth Minella said she expects the validity of Privacy Shield to be challenged legally but nevertheless considers it effective both legally and as a promoter of good practice. "If you go to the root of Snowden and the Schrems [European Court of Justice] decision, that was largely geared to the issue of government surveillance," said Minella. "The [Privacy Shield] Framework makes the next best effort at closing the gap on that issue. The language of Privacy Shield can appear very generic, but you have to put very practical measures in place. I tell our staff that in Europe, data privacy is very much a right and you have to figure out how to honor that in a B2B context."

As a practical example, Minella said e-mailing an Excel spreadsheet containing personal data without protections like encryption and passwords would be unacceptable.

She predicted that U.S. service providers will hear a lot more from clients about Privacy Shield. "A very easy RFP question would be: 'Have you elected to go on the framework? If you haven't, please explain why.' There's nothing wrong with electing not to, but you need to explain that," she said.