The GDPR and Privacy Shield: Two Important Links in Your Privacy Compliance Chain

May 20, 2020, 09:00 AM by Cobun Keegan

As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in full force. Over the past few months, we have seen companies around the world ramping up their data privacy efforts to meet the requirements of this important regulation. In the United States these efforts are often coupled with curiosity about how GDPR relates to the EU-US Privacy Shield agreement. From companies that already participate in Privacy Shield to those that are looking to add participation as part of their compliance efforts, many have questions about how Privacy Shield relates to their GDPR compliance obligations.

What is the GDPR? As its name suggests, the GDPR includes general rules covering many different aspects of data protection in the EU. (Note that “data protection” and “data privacy” are synonymous.) The regulation is meant to modernize and standardize data privacy rules across the 28 EU member states, mandating a more holistic integration of best practices for managing and securing personal data. Much of the basic framework of the GDPR, including its prohibition on transferring personal data to countries with less stringent privacy rules, is not new. What is new is the potential financial exposure of noncompliance. As you have likely heard, GDPR violations could come with massive penalties. Certain infringements could result in fines of up to €20 million or four percent of a firm’s global gross revenue, whichever is higher.

What does the GDPR mean for U.S. companies? The GDPR’s broad definition of “personal data,” coupled with its extraterritorial scope, mean that a wide variety of U.S. companies could be affected. Your compliance obligations are not restricted to whether your company has an establishment in the EU. Companies that are not physically present in the EU, but still track the online activities of EU individuals, or otherwise collect or receive the personal data of individuals in the EU in connection with an offering of goods or services in the EU, may also be subject to the GDPR.

EU-wide data protection rules do not stop at European borders. They also regulate transfers of data outside of the EU, requiring companies to demonstrate that similar privacy protections are in place wherever personal data is sent. Companies have a number of options for demonstrating that such “appropriate safeguards” are in place for data transfers to a particular jurisdiction. These range from adopting binding corporate rules or standard contractual clauses to following the guidelines of a European Commission “adequacy decision.”

This is where Privacy Shield comes in for organizations in the United States. Perhaps the most straightforward means for a company to lawfully transfer personal data out of the EU is to send it to a jurisdiction that the European Commission finds adequate in meeting EU privacy standards. U.S. regulators, through an ongoing dialog with their EU counterparts, have secured an “adequacy decision” covering the receipt in the United States of EU personal data, but only in limited circumstances. The resulting Privacy Shield agreement enables participating organizations to self-certify that they have aligned their internal privacy protections with EU data protection standards for personal data they receive, process, and share with business partners and vendors pursuant to the Privacy Shield Framework.

Privacy Shield provides for these equivalent privacy protections in the U.S. in a few ways. Most importantly, it requires U.S. participants to be transparent about their privacy practices. By making a public self-certification to the U.S. Department of Commerce, and setting forth their Privacy Shield-compliant privacy practices in a public privacy notice, companies commit to provide data protections to EU individuals that are then enforceable by U.S. regulators (primarily the Federal Trade Commission). Privacy Shield also sets up oversight and monitoring through the Commerce Department and creates a multilevel dispute resolution pathway for EU individuals.

As one of Privacy Shield’s mandated independent recourse mechanisms, the BBB’s EU Privacy Shield program is an important part of the agreement. Companies that self-certify their compliance with Privacy Shield must elect either to cooperate with European data protection authorities or select a private alternative dispute resolution service. The contact information for a company’s chosen IRM must be provided in its privacy notice for EU data subjects as an avenue for them to resolve their privacy disputes with the company. In the event of a valid Privacy Shield complaint against one of our participants, BBB EUPS provides independent third-party conciliation and arbitration options, enabling EU individuals to enforce their privacy rights in the United States.

Privacy Shield is both a straightforward and flexible means of demonstrating that your company meets the EU rules regarding transfers of EU personal data to the United States, including the relevant sections of the GDPR.

Compliance with the substantive requirements and the mandated privacy policy disclosures of Privacy Shield can also serve as an on-ramp for U.S. firms to advance their compliance with the GDPR. Participation in Privacy Shield is not sufficient for full GDPR compliance, and not all EU data subject rights conferred by GDPR can be enforced through Privacy Shield. However, for many companies, working with an IRM such as BBB EU Privacy Shield to ensure that your privacy notice and self-certification accurately reflects the data privacy practices and disclosures mandated by Privacy Shield can represent a significant step toward full compliance with the GDPR.

Other Blog Articles


Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more

Operation Income Illusion: A Positive Step by the FTC to Curb Deceptive Income Claims

The Federal Trade Commission (FTC)’s December 14 Operation Income Illusion initiative is a crackdown by the FTC and 19 federal, state, and local law enforcement partners against those that purport to offer significant income opportunities but that end up costing consumers thousands of dollars. This effort is consistent with an ongoing effort in the direct selling industry to ensure income claims are communicated truthfully and accurately.
Read more

CFBAI and CCAI 2019 Report on Compliance and Progress Published

BBB National Programs has published the Children's Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) Report on Compliance and Progress During 2019. The report finds excellent compliance by all companies participating in the programs from January 2019 – December 2019. The report also notes the CFBAI participants’ implementation of stricter Uniform Nutrition Criteria in 2020.
Read more

CARU’s Year in Review: Defining Kidvertising and Tackling Hot Topics Head On

During an uncertain year, the team at the Children’s Advertising Review Unit (CARU) stayed busy. Through casework, online conferences, an evolving technology landscape, updates to policy and guidelines, and new thought leadership, our efforts furthered our mission to help companies comply with the laws and guidelines that protect children and their personal data.
Read more