Is Privacy Shield Equal to GDPR Compliance?
The simple answer is no. Twenty years ago, companies complied with the Safe Harbour Framework to ensure a standardized, secure and private framework for E.U.-to-U.S. personal data transfer, but by 2015 the framework was deemed invalid by the European Court of Justice. This spurred the creation of the Privacy Shield Framework in 2016, which has been adopted by almost 3,000 U.S. businesses, but, alas, this framework has been deemed insufficient for the new GDPR regulations implemented on May 28, 2018.
If U.S. companies want to send or receive personal data from an EU internal or external source and remain within GDPR compliance, they need to look beyond the Privacy Shield. For those companies who have invested in the Privacy Shield certification, all is not lost. Much of the self-certification processes found in the Privacy Shield framework can be reused in GDPR compliance. For U.S. companies, their primary interest is compliant transfer of personal data from an E.U. to a non-E.U. country. According to GDPR, this transfer can be done if the foreign country’s data protection laws (in this case, the U.S. laws) offer a level of data protection deemed “adequate” by the European Commission (the U.S. has not earned this level) or an approved data transfer mechanism.
It is important to note here that the “level of data protection” is only partially referring to data security. The other levels of “data protection” revolve around the E.U. citizen’s data rights, including the rights:
- To be informed how their data is used.
- To correct mistakes.
- To be forgotten (erased from your systems).
- To data portability.
- To access their data.
- To object to how their information is used.
- To remove themselves from automated decision-making and profiling.
Privacy Shield and GDPR are in different categories. As an example, GDPR lacks any reference to the Privacy Shield framework, demonstrating the incongruity between the Privacy Shield and GDPR frameworks. In my opinion, there is a reason for this omission. Privacy Shield is a self-certified framework void of any regulatory oversight or penalties. GDPR is different. GDPR has substantial fines and a regulatory stature so logically, a regulation cannot be satisfied by a voluntary and unenforced framework.
Again, Privacy Shield-certified companies can use much of their Privacy Shield documentation and processes to fulfill other approved methods of sending E.U. personal data “across the pond.” Privacy Shield and GDPR also share a common focus. Both frameworks make companies responsible for the data protection programs of their third parties, including HR systems, cloud providers, vendors and customer and prospect marketing and sales applications. This connection between GDPR and third parties reflects the need to integrate third-party risk management and privacy information in one application.
The natural question is whether there are other links between total GDPR compliance and the voluntary Privacy Shield Framework and the answer is yes. The E.U. has decided that certain standardized contractual clauses offer sufficient safeguards to protect an E.U. individual’s privacy and rights. As of this blog posting in May 2018, three standardized contractual clauses are available; two for the data controllers (the data owner) outside of the European Economic Area (EEA) and one from the data controllers in the EEA to the data processors outside the EEA.
Deciding on what GDPR compliance mechanism is best for your company revolves around your company size, the amount of E.U. data sent and received and your willingness to commit to privacy compliance. While CENTRL is committed to helping companies adhere to their privacy and risk management needs, we are keenly aware that privacy regulations will evolve geographically, technically and socially. One of the hallmarks of our company philosophy is to evolve with the changing landscape of data privacy. The axiom that “the only thing that is constant is change” reflects our long journey ahead.
For more information on the CENTRL GDPR compliance platform, click here.