If you've ever seen me present on GDPR, you will recall that I mentioned the questionable status and future of Privacy Shield, which replaced Safe Harbor in terms of secure data transfer between the EU, Switzerland and the U.S. I personally didn't believe that Privacy Shield would survive after the GDPR launch on May 25, 2018. In case you are not familiar with Privacy Shield, here's a direct description.
According to the Privacy Shield website, "The EU‐U.S. and Swiss‐U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data-protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
"The Privacy Shield program, which is administered by the International Trade Administration within the U.S. Department of Commerce, enables U.S.‐based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.‐based organization will be required to self‐certify to the Department of Commerce and publicly commit to comply with the Framework's requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework's requirements, the commitment will become enforceable under U.S. law."
Thanks to my friend and go-to legal GDPR subject-matter expert Debbie Chong (CEO of GDPR-ready Lenos Software), there is a clarification about Privacy Shield and GDPR. According to a Better Business Bureau memo, it turns out that Privacy Shield will survive and is considered to be complementary to GDPR: "A driving concern for U.S. businesses processing data from Europe right now is not only Privacy Shield, an agreement designed to enable data transfers between the EU and the U.S., but also the GDPR (Regulation 2016/679), a much broader law taking effect May 25, 2018, that regulates the activities of both EU and certain U.S. and other overseas companies with respect to data collected within the EU. To clear up any confusion that may exist on this issue among Privacy Shield participants, let us first emphasize that GDPR is not replacing Privacy Shield. The two sets of privacy protections they create are complementary, and many of our participants will be complying with both in tandem."
How do GDPR and Privacy Shield align?
The GDPR imposes new privacy obligations on many U.S. companies doing business in the EU, including enhanced transparency requirements and protections for EU data subjects. Many, but by no means all, of these requirements and protections are already engineered into Privacy Shield.
As U.S. companies begin aligning their privacy compliance with GDPR requirements, many of them are electing to use EU Privacy Shield in two ways: 1) to meet a critical requirement under GDPR -- that organizations put in place an approved mechanism to transfer data collected in the EU to the US; and 2) as an "on‐ramp" to GDPR compliance.
According to Department of Commerce officials: "The EU‐U.S. Privacy Shield Framework was designed with an eye to the GDPR. Both the Department of Commerce and the European Commission worked hard to ensure that the Privacy Shield would be a durable framework that could continue under the GDPR. The Framework addresses substantive privacy protections under the GDPR, and in certain parts specifically accommodates the GDPR. It is important to note that the GDPR includes a provision that grandfathers in the adequacy determinations made under the present EU Data Protection Directive, which the GDPR will replace, including the Framework. Although Privacy Shield self‐certification allows companies to meet the requirements to transfer data under the GDPR, it is not a GDPR-compliance mechanism and thus is not a substitute for GDPR compliance. Companies should take a careful look at GDPR requirements if they fall within its scope.
"So, by becoming Privacy Shield‐compliant for European data transfer to the U.S., your company has already taken some important first steps toward GDPR compliance. However, simply being compliant with the Privacy Shield does not mean that you will be fully compliant with GDPR. There are several other important elements of GDPR that U.S. companies should know about and act on to ensure full compliance."
I hope this update on Privacy Shield will clarify once and for all that it will still exist but will not replace GDPR standards, and that GDPR compliance is still a standalone imperative for all companies seeking to avoid the large fines that could be assessed for noncompliance.
Kevin Iwamoto is senior consultant at GoldSpring Consulting. You can follow him on Twitter @KevinIwamoto.