Is Privacy Shield a way to comply with GDPR?
June 28, 2018
The European Union’s General Data Protection Regulation (“GDPR”) went into effect on May 25, 2018, and companies throughout the world have devised privacy programs that comply with this new regulation. While GDPR only protects the information of EU data subjects, any company with a presence in the EU, including a website, is potentially subject to severe penalties if it does not comply with these new data privacy regulations.
Under Privacy Shield, a US Commerce Department framework created in 2016, US-based companies can self-certify that they are eligible to receive from or transfer data with EU-based companies. Shortly after adopting GDPR in 2016, the EU Commission had accepted Privacy Shield as an adequate certification for compliance with the Privacy Directive 1995/46/EC, GDPR’s predecessor. Until stated otherwise by the Commission, it is presumed that Privacy Shield has the same applicability under GDPR as it did under the 95 Directive.
However, in November 2017, the Article 29 Working Party (“WP29”)*, at the time an independent EU advisory party on data privacy, issued a report (https://ec.europa.eu/newsroom/just/document.cfm?doc_id=48782) requesting a re-examination of the Privacy Shield by the EU and US, calling into question Privacy Shield’s compatibility with, and effectiveness under GDPR. At the date of this publication, no further public statements have been made by the WP29 or its new replacement, the European Data Protection Board, regarding Privacy Shield’s status. Thus, for the time being, the Privacy Shield continues as a safe harbor for US companies for cross-border transfers of personal data under GDPR.
Privacy Shield initially replaced longstanding set of safe-harbor rules governing data transfer out of the EU and into the US. Certifying with Privacy Shield affirms that the company provides adequate privacy protection to EU and Swiss citizens if their data is collected. Though joining Privacy Shield is voluntary, once a company has joined, it is obligated by US law to honor its commitments, subject to enforcement by the Federal Trade Commission or Department of Transportation.
Self-certification under the Privacy Shield is a supplement to, but not a replacement for, GDPR compliance, for the breadth of GDPR expands beyond the Privacy Shield’s mandate. As by way of example, GDPR’s response mandates to EU data subject requests for information or erasure are not anticipated under the Privacy Shield. However, the Privacy Shield remains a clear and forceful indicator that a US company’s business processes for cross-border information transfers are compatible with the EU privacy rules. Self-certification under the Privacy Shield can build trust with the consumer and signals to peers that the company is serious about privacy. The Commerce Department maintains an ongoing list of companies complying with Privacy Shield (available here), and customers and business partners can use this list to research the companies that take data privacy most seriously.
* As of May 25, 2018, the WP29 was replaced by the European Data Protection Board.
Please contact BurgherGray if you have any questions or if you would like a review of your company’s privacy program.
ATTORNEY ADVERTISING. The information contained herein may constitute attorney advertising in certain jurisdictions and, in any event, should not be construed as legal advice with respect to any specific fact or circumstance. The information was prepared and is provided by BurgherGray LLP for general information purposes only and should not be used or relied on as a substitute for competent legal advice from an appropriately licensed attorney at law. Neither the provision by BurgherGray or the use by you of the information presented herein creates any attorney-client relationship between you and BurgherGray LLP. Any prior result included in the information does not guarantee or imply a similar result or outcome in other matters.