Summary: When speaking about the GDPR, the EU-US Privacy Shield should only be used as a framework or tool as it is meant to focus on transatlantic data flows.
My personal thoughts after listening to C-level executives at the CxO Roundtable Series sponsored by Intel, IBM, HyTrust & ReedSmith. For an invite, please reach out to me.
Last October, Techdirt wrote about an important decision by the Irish High Court in a case concerning data transfers from the EU to the US. The case can be traced back to the Edward Snowden case and NSA revelations about US mass surveillance law. What the decision spoke to was the focus on adherence to EU law with regards to US mass surveillance law. The concerns raised were about how the NSA had routine access to user information held by companies like Facebook which were transferred from the EU flies in the face of an EU citizens’ fundamental privacy rights. However this case doesn’t relate to the GDPR but another form of data transfer regulation — the EU-US Privacy Shield
The EU-US Privacy Shield and its precursor, the U.S.-EU Safe Harbor, was meant to be a to a temporary band-aid for EU data protections that existed under the 1995 Data Protection Directive, which the GDPR updates and replaces. The Privacy Shield certification is a voluntary and self-compliable regulation which helps to expedite transfers of personal data across the Atlantic. Once you do certify, you must do so annually. The certification essentially says the company:
- Is under the authority of the FTC or another U.S. agency for compliance purposes
- Is publicly making a commitment to follow the rules laid out in the Privacy Shield
- “must include robust mechanisms for assuring compliance with the Principles” laid out in the Privacy Shield
For compliance, the Privacy Shield may be posted on the website:
While the EU-US Privacy Shield does offer some formal protection and can be a useful framework or tool for GDPR compliance, it isn’t complete. Think of the Privacy Shield as a guide to GDPR compliance but that is it! The GDPR is far more stringent. GDPR protects the personal data that is processed for activities and transactions (data processors and controllers regulations) that occur with EU citizens regardless of physical location, while Privacy Shield deals with the personal data that is transferred out of the EU to the US. The Privacy Shield was just the beginning for the new generation of data legislation in the EU and may not even be around if the legal challenges to Facebook data flows are successful.