With the General Data Protection Regulation of the European Union (GDPR) a few months away from coming into effect, many US businesses are concerned about the impact of the GDPR on their business transactions with the EU and are questioning how the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) differ from the GDPR. This article aims to clarify the relationship between the GDPR and the Privacy Shield and how the new legislation affects businesses in the US.
A Brief Summary of the GDPR
The GDPR is the European Union’s new, comprehensive privacy law that will take effect on May 25, 2018. What makes the GDPR unique and important, however, is its broad material and territorial scope. Unlike its predecessor, the European Data Protection Directive (the “Directive”), which only directly applied to organizations established in the EU, the GDPR applies to both EU-based businesses and to businesses that have no physical or legal presence in the EU. By its own language, the GDPR applies to all organizations that process the personal data of EU persons in connection with offering them goods or services (even if for free) or that monitor the behaviour of individuals within the EU (such as by tracking an individual’s use of a website). These standards will be applied broadly, meaning that, in effect, the GDPR has a global application. Any business that wishes to operate in the EU, even remotely, will have to comply with its requirements.
If an organization is found to be in breach of the GDPR, it could be fined up €20 million or 4 percent of its annual global revenue, whichever is higher. Therefore, ensuring compliance with the GDPR is extremely important to organizations that fall within its scope.
Data Export Restrictions Under European Privacy Law
While the GDPR is a comprehensive data protection law that aims to regulate the processing of European personally identifiable information throughout the world, the Privacy Shield is concerned with one specific thing: the transfer of personal data from the EU (or, more specifically, from the European Economic Area and Switzerland) to the U.S.
The European Commission and the United States Department of Commerce agreed on the Privacy Shield because United States data protection laws were insufficient on their own to be considered as “adequate” by European regulators.
The current privacy law in Europe (i.e., the Directive) and the upcoming GDPR only permit the transfer of personal data from the EU to a non-EU country in certain circumstances: either the foreign country’s data protection laws must offer a level of protection deemed “adequate” by the European Commission, or an approved data transfer mechanism must be used. As the European Commission has, to date, only declared 11 jurisdictions outside of the European Economic Area to have adequate data protection standards (not including the United States), European organizations have come to rely on approved data transfer mechanisms, such as the Privacy Shield, to lawfully transfer personal data overseas.
GDPR and Privacy Shield: Why Both Are Necessary
Although the GDPR will place many new, rigorous obligations upon U.S. businesses, the European Union’s need to ensure the adequacy and enforceability of data protection standards in non-EU countries will remain. Thus, the Privacy Shield will continue to be a vital tool for U.S. organizations that engage with EU clients after the GDPR comes into effect. In this sense, Privacy Shield certification can be approached as the first step in a two-step process toward a comprehensive EU data protection strategy.
While it’s not uncommon for U.S. businesses to think about the Privacy Shield and the GDPR as if they serve a nearly identical purpose, they are in fact very different legal instruments that serve two separate, if overlapping, functions. Non-EU organizations cannot merely comply with the GDPR as a means to enable exports of personal data from the EU. While GDPR compliance will be necessary in any case, an approved data transfer mechanism, such as the Privacy Shield, must be implemented by the non-EU organization as well.
To better understand the simultaneous need for both the Privacy Shield and the GDPR, consider that the Privacy Shield offers several dispute resolution recourse mechanisms to European data subjects in case a Privacy Shield participant has violated his or her right to privacy. While the GDPR alone doesn’t give Europeans access to any binding recourse mechanism in the U.S., the Privacy Shield includes a special arbitration panel, and an Ombudsperson at the U.S. Department of State to respond to complaints from Europeans.
Additionally, when a U.S. business certifies that it complies with the Privacy Shield, that promise is legally enforceable by the Federal Trade Commission (or, in some cases, the Department of Transportation) here in the United States, which is a key element of the European Commission’s decision to consider Privacy Shield participants as providing “adequate” data protection. Thus, European organizations may transfer personal data from the EU to Privacy Shield participants in the U.S., while remaining compliant with European data protection laws.
Much like how the Privacy Shield contains its own distinct facets, the GDPR (which is a much broader and more complex piece of legislation) also contains a variety of unique and proprietary obligations. Despite the fact that Privacy Shield is meant to “bridge the gap” between the American and the European perspective on privacy rights, a considerable gap does nevertheless remain.
Privacy Shield is an important part of any U.S. business’ European privacy toolkit. When used in conjunction with a robust and professionally directed GDPR compliance plan, the Privacy Shield can be a powerful — and profitable — tool.
In closing, the coming into effect of the GDPR will increase the need for U.S. businesses to utilize the Privacy Shield as a mechanism for legally transferring personal data from the EU to the U.S. To learn more about VeraSafe’s Privacy Program, the Privacy Shield, and the GDPR, contact one of VeraSafe’s privacy experts today for a free EU privacy consultation.