|Privacy Shield and GDPR|
by Alex Greenstein, Privacy Shield Director
In April 2016, the European Union (EU) replaced its 1995 Data Protection Directive with the General Data Protection Regulation (GDPR). As companies in the EU and beyond review their data protection policies to ensure compliance with this law, many are asking how GDPR impacts the three-year-old EU-U.S. Privacy Shield Framework.
Background on GDPR
Effective May 2018, GDPR governs the commercial use of personal data, requiring companies to follow certain data protection practices.
The regulation applies to all EU-based companies, as well as companies outside the EU that receive EU personal data in offering goods and services or in monitoring EU individuals’ behavior. GDPR also governs the transfer of EU personal data to companies outside the EU.
GDPR has garnered a great deal of attention globally and has incentivized many companies to review and update their privacy and cross border data flow policies. The International Trade Administration at the U.S. Department of Commerce engages regularly with the U.S. business community to promote wider awareness of the GDPR’s new requirements. ITA’s Office of Digital Services Industries (ODSI) has also partnered with the U.S. Commercial Service team at the U.S. Mission to the European Union in outreach efforts.
Relationship with Privacy Shield
Privacy Shield is not a GDPR compliance mechanism, but rather a means that enables participating companies to meet the EU requirements for transferring personal data to third countries, as discussed in Chapter V of the GDPR.
GDPR’s Article 45 explicitly provides for the continuity of prior European Commission (EC) adequacy determinations, like the adequacy decision regarding Privacy Shield adopted by the Commission in July 2016, under the 1995 Data Protection Directive. Accordingly, the EC’s adequacy determination for Privacy Shield remains valid under the GDPR.
Negotiators from both the U. S. Government and the European Commission accounted for the GDPR’s new substantive and procedural requirements as they developed the Privacy Shield Framework in 2016. Privacy Shield’s joint annual review, for example, was designed to satisfy the GDPR requirement for review of European Commission adequacy determinations once every four years. Privacy Shield’s annual review exceeds this requirement.
In addition, the Privacy Shield Framework created the Ombudsperson mechanism, which provides an unprecedented new channel for EU and Swiss individuals to seek an independent review regarding national security access to personal data transferred to the United States. This mechanism applies not only to data transferred pursuant to the Privacy Shield Framework but also to other EU-approved data transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, further enabling transatlantic commerce while protecting privacy.