In a previous article written in this blog (“Is Privacy Shield GDPR Compliant?”) I explained the purpose of the Privacy Shield and how it needs to be interpreted in the context of one’s documenting obligations under the GDPR. In this new article, I draw some conclusions as to its sufficiency against the Adequacy Principle, one of the GDPR’s foundational principles.
What is the EU-US Privacy Shield?
The EU-US Privacy Shield Framework is an agreement between the EU and U.S. that provides a compliance method for transferring personal data from the EU to the U.S. As of August 1, 2016, a U.S.-based organization that self-certifies under the Privacy Shield and continues to uphold the seven principles broken down in the Privacy Shield Framework can legally transfer EU resident data to the U.S.
Is the Privacy Shield still effective after GDPR?
It is important to note, for a start, that the Privacy Shield is not mentioned anywhere in the text of the GDPR. This is due to the fact that the Privacy Shield was not yet a reality at the time the text of the GDPR was published. Articles 44-49 of the GDPR, which address the question of international data transfers, does provide the EU commission with the power to determine if a third country has adequate safeguards for the protection of the personal data of EU residents to legitimize data transfers to that country. Additionally, for countries with inadequate safeguards, the EU Commission has the power to agree with the destination country the framework providing for adequate safeguards. It is under these powers that the EU Commission and the U.S. Department of Commerce have agreed the Privacy Shield Framework (the successor to the defunct 2000 EU-U.S. Safe Harbor mechanism) as the adequacy mechanism for transferring personal data between the EU and the US.
Under the GDPR, the burden on U.S.-based companies for documenting their privacy and data protection practices has increased substantially, compared to what it was under the Safe Harbor. The purpose of the GDPR is to ensure that EU residents are guaranteed adequate protection of their personal data globally by setting out broad and stringent rules about data collection and processing. The Privacy Shield Framework was adopted as an new mechanism (along with the Binding Corporate Rules and the Standard Contractual Clauses) for legally transferring EU resident personal data from the EU to the U.S., which only fulfills one aspect of the GDPR. While the Privacy Shield Framework does align with the GDPR to an extent, organizations that self-certified under the Privacy Shield are not GDPR compliant simply by virtue of their self-certification, and must take additional steps to document their compliance with the GDPR.
The Privacy Shield Principles
The Privacy Shield lays out a number of requirements for U.S. organizations to protect EU residents’ personal data and implement recourse mechanisms for EU residents for violations of their privacy. An organization is only Privacy Shield certified once the U.S. Department of Commerce has evaluated their submission and practices, and has added them onto the list of certified organizations. Upon certification, these organizations are subject to U.S. Department of Commerce and FTC enforcement.
The Privacy Shield Principles describe seven requirements that U.S. organizations must implement into their privacy and data processing practices to be certified:
- Choice: Organizations must provide a clear and readily available process for individuals to opt-out of having their personal data disclosed to third parties. The individual must affirmatively opt-in to disclosure if it involves sensitive personal data, such as data relating to health, race, religion, or sex life.
- Security: Organizations must implement appropriate security measures to protect data.
- Data Integrity and Purpose Limitation: Data collection must be relevant to the purpose of processing and limited to only what is necessary.
- Access: Organizations should provide individuals with the ability to access, correct, amend or delete inaccurate or improperly processed data.
- Recourse, enforcement, and liability: Organizations must provide an independent recourse mechanism to provide remedies to individuals and a yearly verification that their practices are Privacy Shield Compliant.
The interplay between the Privacy Shield and the GDPR
While being Privacy Shield certified will significantly help an organization understand where to focus their attention and document their compliance in such way as to meet the requirements of the Accountability Principle under the GDPR, there are many components of GDPR that are not addressed under the Privacy Shield. To become GDPR compliant, organizations that are Privacy Shield Certified will still need to meet a number of additional requirements, amongst which:
- The right to erasure
- The right to restriction
- The right to data portability
- The right to object to automated decision making and profiling
- The right to file complaints with European Data Protection Authorities (DPA’s)
– Privacy by Design: Organizations will need to build privacy mechanisms and minimize processing as part of the design of their websites and practices.
– Data Protection Impact Assessments (“DPIA”): Organizations will need to conduct assessments of their data collection and processing systems in addition to assessing the sufficiency of their security measures prior to processing data.
– EU Based Representative: Organizations with no physical presence in the EU that process EU resident data will need to appoint a representative within the EU for data subjects and DPAs to contact.
– Record of Data Processing: Organizations will need to maintain records of all their processing activities.
Each of these requirements contains exceptions that exempt certain types of organizations from needing to comply with that requirement based on considerations like the type of data being processed or the size of the organization. Read more about those in our GDPR Glossary.
This said, for the right type of organization (not all of them are), self-certifying under the Privacy Shield should still be considered because it is one of many tools that assist US organizations in becoming GDPR compliant. However, it is important to keep in mind that the Privacy Shield was only designed to satisfy the EU Commission’s adequacy requirements for EU personal data to be transferred to the U.S. without the need for additional documentation to be produced in support of such transfer; it was never designed to replace the need for a U.S.-based data processing organization to comply with the GDPR nor the need to be in a position to document its compliance with the EU Regulation.
In my previous blog article “Is Privacy Shield GDPR Compliant?”, I did mention that the Article 29 Working Party (“WP29”), an informal working group bringing together representatives of each of the EU national privacy regulators, released in November 2017 a review of the Privacy Shield on the first anniversary of its adoption. In its report, the WP29 addressed a number of flaws in the framework, including a lack of guidance for companies trying to self-certify, a lack of active oversight from U.S. regulators, and a failure to define or distinguish important privacy concepts. The report requested that all of the priority concerns be remedied by May 25, 2018 when the GDPR went into effect, and the rest of the issues to be fixed by the next review in the Fall of 2018. In a resolution dated June 11, 2018, the European Parliament Civil Liberties Committee goes further and states that the Privacy Shield should be suspended if the U.S. fails to meet its commitments by September 1st. The text of the resolution here
Based on the concerns raised by the European authorities and the uncertain future of the Privacy Shield, Privacy Shield certified organizations should really supplement their self-certification by separately and properly documenting their efforts to comply with the GDPR.
This article was written with the collaboration of Monica Meiterman-Rodriguez