The EU-US Privacy Shield Framework

EU GDPR and the EU-US Privacy Shield, Both Sides of the Same Coin?

US Organisations are starting to look at GDPR and ask, what do I need to do about it?

In many cases the EU-US Privacy framework is likely to be the solution.


UPDATE: 4 August 2020

On the 27th July 2020 the Court of Justice of the European Union ruled that Privacy Shield does not provide a safe mechanism for transfers of personal data outside of Europe to the US.

For More details please see our Blog on this ruling: EU-US Privacy Shield is Dead


Do US companies need to be compliant with GDPR?

The simple answer is if you are a US company processing EU Citizens personal data in the US you must either:

  • Comply with Privacy Shield

or

  • Have other safeguards in place such as corporate binding rules (see article 46 & 47 of the GDPR)

US corporate operations within the EU, processing EU Citizens data, will need to comply with the GDPR.

GDPR and Adequacy

GDPR covers all organisations within the EEA, which means in effect personal data may be moved freely within this geography, provided all the elements of the GDPR have been complied with.

If you wish to send data to another country or process EU data in another country not covered by GDPR then that country or territory needs to be declared Adequate by the EU, or more formally have been given and adequacy ruling by the EU regulator.

“Article 45:

1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. “

The EU reached an adequacy decision on the EU-US Privacy shield in June 2016. However, the Article 29 Working Party has raised some concerns with the framework.

Privacy Shield

Privacy Shield is the EU-US Data Protection Framework agreement that allows those organisations that are certified, to process personal data of EU citizens.

Organisations in the US handling EU Personal Data need to be certified against Privacy Shield, not GDPR.

That being said in order to be ‘adequate’ Privacy Shield is pretty, much in line with what the GDPR requires, although there are some differences.

Privacy Shield Principles

The EU adopted the EU-U.S Privacy Shield Framework on the 12th July 2016, and the U.S. Department of Commerce began accepting EU-U.S. Privacy Shield self-certifications on 1st August 2016.

The fundamental principles of the frame where are:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability
  • Supplemental Principles

How much will Privacy Shield self-certification cost?

The cost for Privacy Shield is dependent on the size of company.

The Department of Commerce has set the following fees for 2016:

  • $0 to $5 million $250
  • Over $5 million to $25 million $650
  • Over $25 million to $500 million $1,000
  • Over $500 million to $5 billion $2,500
  • Over $5 billion $3,250

Conclusion

  • If you are a US Organisation handling EU person data, start looking at Privacy Shield
  • Become familiar with the GDPR, your EU subsidiaries or partners will benefit from it
  • Find someone who understands both Privacy Shield and the GDPR to help you through the process

References

If you would like to know more about how GDPR Auditing can help your organisation with the EU-US Privacy Shield or the GDPR in general please contact us at info@gdprauditing.com or visit our contacts page.

The information provided in this post is for general information only and is not intended to provide legal advice.

© GDPR Auditing 2017.