The EU/US, Safe Harbor scheme, was struck down by the Court of Justice of the European Union (CJECU) in October of 2015 putting companies on both sides of the Atlantic in a difficult position – not having a process for legally transferring data out of the EU to the US. 

The new Privacy Shield Scheme was put forth in February 2016 and finally adopted in August of 2016. Privacy Shield, like the original Safe Harbor process, is an agreement between the EU and U.S. allowing for the transfer of personal data from the EU to the US.

As of November 2017, 2,300 companies had joined the Privacy Shield. However, Privacy Shield has not been universally accepted by all European countries, localities, and courts and will no doubt face challenges as was the case with the Safe harbor scheme.

Regulations and directives

The General Data Protection Regulation (GDPR), which is set to come into effect in May 2018, is the new legal framework in the EU that replaces the current EU Data Protection Directive.

The question is; what is the difference between a directive and regulation? In fact, a regulation is law and therefore legally binding, whereas a directive is a recommendation and is not legally binding. This fact highlights that the GDPR (being a law), has huge liabilities if not followed by all European Union member states. The GDPR also applies to companies outside of the EU holding EU citizen personal data.

The eight rights guaranteed under the GDPR

• Right to be informed – This provides transparency over how personal data is used.
• Right to access – Provides access to your data, how it is used, and any supplemental data that may be used alongside your data.
• Right to rectification – The right to have your personal data rectified if it Is incorrect or incomplete.
• Right to erasure (or the right to be forgotten) – Your right to have personal data removed where there is no compelling reason to store it.
• Right to restrict processing – You can allow your data to be stored but not processed. An example where you may want to invoke this right is if you feel that inaccurate data is stored awaiting rectification.
• Right to data portability – You can request copies of information stored about you to use elsewhere, such as if applying for financial products across some
• Right to object – You can object to how your data is processed. One example may be in that you object to your data being used by direct marketing organizations. If you object, the regulation specifies they must comply.
• Rights to automated decision making and profiling – You can object to automated decisions being made based on your data. Automated means without human intervention. An example may be online shopping habits being determined based on previous online behavior. If an organization or processor breaches a condition, the penalties are high. Businesses currently face up to a fine of 20 million euros or 4% of their global turnover.

Are GDPR and Privacy Shield compatible?

An interesting fact is that the GDPR does not even mention the Privacy Shield agreement.In reality, the GDPR has specific requirements that apply to the transfer of data out of the EU, including that the transfer can only happen to countries that have been deemed as having adequate data protection laws. So far the EU does not list the US as a country that meets that requirement. However, Privacy Shield is designed to designate member companies as meeting certain data protection requirements.

Said another way, Privacy Shield allows US companies with a presence in the EU or EU companies to meet specific data handling requirements of the GDPR. A point to remember is that the GDPR is a law with extremely high penalties if not followed, so it must take priority at all times.

To read the blog in total, please click here