In this article, I explain how the Privacy Shield fits within the overall question of compliance with GDPR, and whether it is deemed sufficient in documenting a company’s compliance with the new EU law on privacy
One of the most common questions I get asked is “Is Privacy Shield GDPR compliant?” This question needs to be clarified , as it could mean one of two things in the mind of the person asking it:
- Is the Privacy Shield a mechanism that meets the requirements of GDPR? or
- Is the Privacy Shield a substitute to GDPR, so companies that have self-certified under the Privacy Shield do not need to comply separately with GDPR?
I’ll address these two questions in turn with the goal of responding to the overall question as to whether the Privacy Shield is GDPR-compliant.
- Is the Privacy Shield a mechanism that meets the requirements of GDPR?
The short answer to this question is yes, at the time of this article. Why yes? And why at the time of this article?
Under the GDPR, the personal information of EU residents can only be transferred outside the EU in compliance with the conditions for transfer as set out in Chapter V (Articles 44-50) of the text. As far as transfers of personal information to the U.S. are concerned, this falls into one of three main avenues of compliance:
a) The signature of standard contractual clauses between an EU-based entity sharing personal data and a U.S.-based entity interested in being granted access to EU personal data, using one of the versions adopted by the European Commission;
b) Intra-group binding corporate rules (BCRs) providing legally binding safeguards for the protection of EU personal data within a multinational organization; or
c) An adequacy finding of the European Commission whereby the Commission deems that the protection afforded to the personal data of EU residents when transferred to certain territories outside the EU is sufficient enough that it doesn’t require further authorization from a national supervisory authority of the EU.
On July 12th, 2016, i.e. after the adoption of the GDPR in May of 2016, the European Commission issued an implementing decision on adequacy of the protection to EU personal data provided by the EU-U.S. Privacy Shield, the successor framework to the safe harbor mechanism, a program which the European Court of Justice had declared invalid on October 6th, 2015.
Therefore, although it is not mentioned anywhere in the text of the GDPR, due to its implementation after the adoption of the new EU law, the Privacy Shield is a mechanism that was approved by the EU as an adequate means for transferring personal data from the EU to the U.S. As such, the Privacy Shield is compliant with EU privacy law under the current Privacy Directive 1995/46/EC and, unless and until the EU decides to reverse its adequacy finding decision, it will remain so under the upcoming GDPR.
I will note however, that on November 28, 2017, the Article 29 Working Party (an independent European advisory body composed of representatives from the 28 national data protection authorities of the EU), published its first annual joint review on the EU-U.S. Privacy Shield, in which it expressed a number of concerns and recommended certain actions to be completed in the coming months. With that in mind, one must use caution in predicting a long life to the Privacy Shield.
- Is the Privacy Shield a substitute to GDPR, so companies that have self-certified under the Privacy Shield do not need to comply separately with GDPR?
The short answer to this question is NO.
As I explained, the Privacy Shield is only one of the three main mechanisms whereby personal data of EU residents can be validly transferred to the U.S. It is not, however, a substitute for compliance with EU privacy law, whether the current EU Privacy Directive or, come May 25, 2018 the GDPR – the new European regulation.
Although the seven Privacy Shield Principles and the 16 Supplemental Principles represent a good basis for self-certifying organization looking to develop an understanding of the guiding principles underlying the EU legal and regulatory privacy framework, including GDPR, the Privacy Shield continues to be viewed in the EU as a lesser version of the GDPR which does not offer the same level of protection to EU personal data that the new EU regulation will offer.
In addition, the report that came out of the first annual joint review by the Article 29 Working Party has certainly questioned a number of the safeguards offered by the U.S. for the protection of EU personal data, and opened a period of uncertainty as to the future of the Privacy Shield; a situation which has already led a number of U.S. corporations to consider other EU-approved mechanisms for transferring data from the EU to the U.S.
Last but not least, the rather onerous U.S. regulatory oversight that attaches to the Privacy Shield self-certification program may prove to be a deterrent for small and medium-size corporations in the U.S.
Small and medium sized corporations may prefer to subject themselves to the direct application of the EU privacy framework which is perceived by EU individuals and corporate clients as better aligned with EU privacy principles and therefore more protective of personal data.