So, Is Privacy Shield GDPR Compliant?

In the first edition of this article published on this blog on March 3, 2018, I explained how the Privacy Shield fits within the overall question of compliance with GDPR, and whether it is deemed sufficient in documenting a company’s compliance with the new EU law on privacy.

Indeed, one of the most common questions I continue to get asked  about the Privacy Shield is, “Is Privacy Shield GDPR compliant?”. This question needed to be clarified , as it could mean one of two things in the mind of the person asking it:

  1. Is the Privacy Shield a mechanism that meets the requirements of GDPR? or
  2. Is the Privacy Shield a substitute for GDPR, so companies that have self-certified under the Privacy Shield do not need to comply separately with GDPR?

I’ll address these two questions in turn with the goal of responding to the overall question as to whether the Privacy Shield is GDPR-compliant.

  1. Is the Privacy Shield a mechanism that meets the requirements of GDPR?

The short answer to this question was yes, at the time this article was first published. Why yes? And has anything changed since the time this article was first published?

Under the GDPR, the personal information of EU residents can only be transferred outside the EU in compliance with the conditions for transfer as set out in Chapter V (Articles 44-50) of the text. As far as transfers of personal information to the U.S. are concerned, this falls into one of three main avenues of compliance:

  1. a) The signature of standard contractual clauses between an EU-based entity sharing personal data and a U.S.-based entity interested in being granted access to EU personal data, using one of the versions adopted by the European Commission;
  2. b) Intra-group binding corporate rules (BCRs) providing legally binding safeguards for the protection of EU personal data within a multinational organization; or
  3. c) An adequacy finding of the European Commission whereby the Commission deems that the protection afforded to the personal data of EU residents when transferred to certain territories outside the EU is sufficient enough that it doesn’t require further authorization from a national supervisory authority of the EU.

On July 12th, 2016, i.e. after the adoption of the GDPR in May of 2016, the European Commission issued an implementing decision on adequacy of the protection to EU personal data provided by the EU-U.S. Privacy Shield, the successor framework to the safe harbor mechanism, a program which the European Court of Justice had declared invalid on October 6th, 2015.

Therefore, although it is not mentioned anywhere in the text of the GDPR, due to its implementation after the adoption of the new EU law, the Privacy Shield is a mechanism that was approved by the EU as an adequate means for transferring personal data from the EU to the U.S. As such, the Privacy Shield is compliant with EU privacy law under the current Privacy Directive 1995/46/EC and, unless and until the EU decides to reverse its adequacy finding decision, it will remain so under the upcoming GDPR.

I did note at the time, that on November 28, 2017, the Article 29 Working Party (an independent European advisory body composed of representatives from the 28 national data protection authorities of the EU), had published its first annual joint review on the EU-U.S. Privacy Shield, in which it expressed a number of concerns and recommended certain actions to be completed in the coming months. Accordingly, based on the findings of the review, one needed to use caution in predicting a long life to the Privacy Shield.

In September, after the EU Parliament had decided in July to vote against the Privacy Shield until the concerns raised by the Article 29 Working Party (now the European Data Protection Board) have been addressed by the U.S. to the EU’s satisfaction, I co-authored for the International Association of Privacy Professionals) (IAPP), the world’s largest global information privacy organization, an article, “European Parliament votes to suspend Privacy Shield: Now what?”, in which I and my co-authors examined specific regulatory actions and other evidentiary clues in the aftermath of the Parliament’s July vote against the Shield, concluding that the Shield would likely survive.

Since that IAPP article was published, a joint statement issued by EU and U.S. officials on October 19th supports this conclusion. In connection with the second annual review of the Privacy Shield arrangement, which also took place in October of this year, officials highlighted their ongoing commitment to ensuring that the framework works as it was intended. The European Commission is expected to release by year’s end a report on its findings about the functionality of the Shield framework, however I continue to believe that, despite the concerns raised by the EU, there is good intent on both sides to arrive to a point of confidence that EU personal data transferred to the U.S. and managed by the U.S. Department of Commerce under the Privacy Shield is indeed adequately protected whilst on U.S. soil. It remains that increased oversight by the U.S. Department of Commerce is likely, and therefore, businesses will see more pressure from U.S. regulators to document their compliance with the Shield’s requirements.

  1. Is the Privacy Shield a substitute for GDPR, so companies that have self-certified under the Privacy Shield do not need to comply separately with GDPR?

The short answer to this question is no.

As I explained, the Privacy Shield is only one of the three main mechanisms whereby personal data of EU residents can be validly transferred to the U.S.. It is not, however, a substitute for compliance with the GDPR.

Although the seven Privacy Shield Principles and the 16 Supplemental Principles represent a good basis for self-certifying organization looking to develop an understanding of the guiding principles underlying the EU legal and regulatory privacy framework, including GDPR, the Privacy Shield continues to be viewed in the EU as a lesser version of the GDPR which does not offer the same level of protection of EU personal data that the new EU regulation does.

In addition, the reports that came out of both the first and second annual joint reviews by the Article 29 Working Party did and certainly continue to question a number of the safeguards offered by the U.S. for the protection of EU personal data, and continue to maintain a period of uncertainty as to the future of the Privacy Shield; a situation which has already led a number of U.S. corporations to consider other EU-approved mechanisms for transferring data from the EU to the U.S.

Last but not least, the rather onerous U.S. regulatory oversight that attaches to the Privacy Shield self-certification program may prove to be a deterrent for small and medium-size corporations in the U.S.

Small and medium sized corporations may prefer to subject themselves to the direct application of the EU privacy framework which is perceived by EU individuals and corporate clients as better aligned with EU privacy principles and therefore more protective of personal data.

By |2019-02-12T21:08:00+00:0012 February 2019|European Union|0 Comments

About the Author:

Leave A Comment