The big question is…
If a company is self-certified under the Privacy Shield, would that mean the company would be automatically in compliance with GDPR?
The GDPR, like the EU Directive, permits data transfer to countries with ‘adequate protection’. In the case of ‘self-certification’, who is to say that in a court of law, someone could simply demonstrate the company didn’t, in fact, meet certification requirements?
The U.S. and the EU are both taking steps to protect a person’s digital existence. Changes have happened; in The United States Safe Harbor to Privacy Shield and the EU Data Protection Directive to the GDPR.
Here are 6 things that you should know about the Privacy Shield and the GDPR:
- On the 12th July 2016, the European Commission adopted the EU-U.S. Privacy Shield. The Privacy Shield is a framework agreed by the European Union and the United States. It replaced the Safe Harbor framework.
The European Court invalidated the Safe Harbor framework due to it being inadequate in protecting EU personal data under the fundamental rights of Europe.
The Privacy Shield offers stronger protection (over Safe Harbor) for transatlantic data flows. This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
The Privacy Shield is based on the following principles:
- Strong obligations on companies handling data
- Regular updates and reviews of participating companies
- Tighten the conditions for onward transfers
- Clear safeguards and transparency obligations on U.S. government access
- Establish a redress possibility in the area of national intelligence for Europeans through an ombudsperson mechanism
- Effective protection of individual rights
- Annual joint review mechanism
- On the 1st Aug 2016, any companies doing business in the U.S. or with U.S. companies were able to sign up to the Privacy Shield with the U.S. Department of Commerce. The Department of Commerce then verify that the company’s privacy policies complied with the high data protection standards.
- To incentivize the use of the new Privacy Shield, the program provided that if an organisation files its self-certification by September 30th, 2016, it was granted a nine-month grace period to conform its contracts with third-party processors to the new onward transfer requirements under the Privacy Shield. (2&3)
- The GDPR was adopted on 25th April 2016, it was produced by the European Parliament and Council. It replaced the Data Protection Directive.
The GDPR (General Data Protection Regulations) is a regulation by which the European Parliament, the Council of European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Unions.
The GDPR includes:
- International data transfers
- Increase in territorial scope
- New responsibilities for data processors
- Tighter consent requirements
- Profiling and big data
- Data breach notifications
- Accountability requirements
- Privacy impact assessments
- EU GDPR Privacy Seal and code of conduct (4)
- DPO appointments
- New tougher sanctions
The new regulations created much controversy and alleged issues were highlighted, such as:
- Having a Data Protection Officer comes with administrative burden
- The new regulations were developed with a focus on social networks and cloud providers, but did not consider requirements for handling employee data sufficiently
- Data portability is not seen as a key aspect for data protection, but more a functional requirement for social networks and cloud providers
- Protection against automated decisions in Article 22, brought forward from the Data Protection Directive’s Article 15, has been claimed to provide protection against growing numbers of algorithmic decisions on and offline, including potentially a right to an explanation. Whether these old provisions do provide any meaningful protection is a subject of ongoing debate
- EU citizens no longer have a single Supervisory Authority to contact for their concerns, but have to deal with the Supervisory Authority chosen by the company involved
- Communication problems due to foreign languages have to be expected
- The personal data cannot be transferred to countries outside EAA, unless they guarantee the same level of data protection
- The biggest challenge might be the implementation of the GDPR. The implementation of the EU GDPR will require comprehensive changes to business practices
- There is a distinct lack of privacy experts and knowledge
- The European Commission and DPAs have to provide sufficient resources and power to enforce the implementation
- Europe’s international trade policy is not yet in line with the GDPR
- On May 4th 2016, the regulation entered into force 20 days after its publication in the Official Journal of the European Union. Its provisions will be directly applicable in all member states two years after that date. (3)
- 25th May 2018 – D Day for the GDPR!
An article on Computer Weekly revealed that the Privacy Shield has come under scrutiny for not providing adequate protection for transferred data and its lack of surveillance protection from the U.S. government. It concluded that the European Data Protection Supervisor (EDPS) and the European Commission, known as the Article 29 Working Party (WP29), has rejected Privacy Shield, citing an overall lack of clarity regarding the new framework as well as making accessibility for data subjects, organisations, and data protection authorities more difficult.
There isn’t a definite answer to the big question. It is clear, that in terms of GDPR compliance self-certification under Privacy Shield does not cover the full requirements of the EU GDPR. What is not clear is how the rejection of Privacy Shield by WP29 will affect future legal challenges.
What we are clear about is be.Infoready will keep you updated throughout your subscription period.
Do you need help with preparing for the GDPR? Contact us today to find out more information.