The European Union’s General Data Protection Regulation (“GDPR”) went into effect on May 25, 2018, and companies throughout the world have devised privacy programs that comply with this new regulation.  While GDPR only protects the information of EU data subjects, any company with a presence in the EU, including a website, is potentially subject to severe penalties if it does not comply with these new data privacy regulations.

Under Privacy Shield, a US Commerce Department framework created in 2016, US-based companies can self-certify that they are eligible to receive from or transfer data with EU-based companies.  Shortly after adopting GDPR in 2016, the EU Commission had accepted Privacy Shield as an adequate certification for compliance with the Privacy Directive 1995/46/EC, GDPR’s predecessor.  Until stated otherwise by the Commission, it is presumed that Privacy Shield has the same applicability under GDPR as it did under the 95 Directive.

However, in November 2017, the Article 29 Working Party (“WP29”)*, at the time an independent EU advisory party on data privacy, issued a report (https://ec.europa.eu/newsroom/just/document.cfm?doc_id=48782) requesting a re-examination of the Privacy Shield by the EU and US, calling into question Privacy Shield’s compatibility with, and effectiveness under GDPR.  At the date of this publication, no further public statements have been made by the WP29 or its new replacement, the European Data Protection Board, regarding Privacy Shield’s status.  Thus, for the time being, the Privacy Shield continues as a safe harbor for US companies for cross-border transfers of personal data under GDPR.

Privacy Shield initially replaced longstanding set of safe-harbor rules governing data transfer out of the EU and into the US.  Certifying with Privacy Shield affirms that the company provides adequate privacy protection to EU and Swiss citizens if their data is collected.  Though joining Privacy Shield is voluntary, once a company has joined, it is obligated by US law to honor its commitments, subject to enforcement by the Federal Trade Commission or Department of Transportation.

Among other things, Privacy Shield calls for organizations to publicly declare their compliance, lay out an easy-to-understand privacy policy, and provide contact information for corporate employees responsible for consumer complaints about data.

Self-certification under the Privacy Shield is a supplement to, but not a replacement for, GDPR compliance, for the breadth of GDPR expands beyond the Privacy Shield’s mandate.  As by way of example, GDPR’s response mandates to EU data subject requests for information or erasure are not anticipated under the Privacy Shield.  However, the Privacy Shield remains a clear and forceful indicator that a US company’s business processes for cross-border information transfers are compatible with the EU privacy rules.  Self-certification under the Privacy Shield can build trust with the consumer and signals to peers that the company is serious about privacy.  The Commerce Department maintains an ongoing list of companies complying with Privacy Shield (available here), and customers and business partners can use this list to research the companies that take data privacy most seriously.

* As of May 25, 2018, the WP29 was replaced by the European Data Protection Board.

 Learn more about Privacy Shield at https://www.privacyshield.gov/.  Companies interested in participating with Privacy Shield can consult Privacy Shield’s online guide for registration at this link.

 Please contact BurgherGray if you have any questions or if you would like a review of your company’s privacy program.