The GDPR and Privacy Shield: Two Important Links in Your Privacy Compliance Chain

May 20, 2020, 09:00 AM by Cobun Keegan

As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in full force. Over the past few months, we have seen companies around the world ramping up their data privacy efforts to meet the requirements of this important regulation. In the United States these efforts are often coupled with curiosity about how GDPR relates to the EU-US Privacy Shield agreement. From companies that already participate in Privacy Shield to those that are looking to add participation as part of their compliance efforts, many have questions about how Privacy Shield relates to their GDPR compliance obligations.

What is the GDPR? As its name suggests, the GDPR includes general rules covering many different aspects of data protection in the EU. (Note that “data protection” and “data privacy” are synonymous.) The regulation is meant to modernize and standardize data privacy rules across the 28 EU member states, mandating a more holistic integration of best practices for managing and securing personal data. Much of the basic framework of the GDPR, including its prohibition on transferring personal data to countries with less stringent privacy rules, is not new. What is new is the potential financial exposure of noncompliance. As you have likely heard, GDPR violations could come with massive penalties. Certain infringements could result in fines of up to €20 million or four percent of a firm’s global gross revenue, whichever is higher.

What does the GDPR mean for U.S. companies? The GDPR’s broad definition of “personal data,” coupled with its extraterritorial scope, mean that a wide variety of U.S. companies could be affected. Your compliance obligations are not restricted to whether your company has an establishment in the EU. Companies that are not physically present in the EU, but still track the online activities of EU individuals, or otherwise collect or receive the personal data of individuals in the EU in connection with an offering of goods or services in the EU, may also be subject to the GDPR.

EU-wide data protection rules do not stop at European borders. They also regulate transfers of data outside of the EU, requiring companies to demonstrate that similar privacy protections are in place wherever personal data is sent. Companies have a number of options for demonstrating that such “appropriate safeguards” are in place for data transfers to a particular jurisdiction. These range from adopting binding corporate rules or standard contractual clauses to following the guidelines of a European Commission “adequacy decision.”

This is where Privacy Shield comes in for organizations in the United States. Perhaps the most straightforward means for a company to lawfully transfer personal data out of the EU is to send it to a jurisdiction that the European Commission finds adequate in meeting EU privacy standards. U.S. regulators, through an ongoing dialog with their EU counterparts, have secured an “adequacy decision” covering the receipt in the United States of EU personal data, but only in limited circumstances. The resulting Privacy Shield agreement enables participating organizations to self-certify that they have aligned their internal privacy protections with EU data protection standards for personal data they receive, process, and share with business partners and vendors pursuant to the Privacy Shield Framework.

Privacy Shield provides for these equivalent privacy protections in the U.S. in a few ways. Most importantly, it requires U.S. participants to be transparent about their privacy practices. By making a public self-certification to the U.S. Department of Commerce, and setting forth their Privacy Shield-compliant privacy practices in a public privacy notice, companies commit to provide data protections to EU individuals that are then enforceable by U.S. regulators (primarily the Federal Trade Commission). Privacy Shield also sets up oversight and monitoring through the Commerce Department and creates a multilevel dispute resolution pathway for EU individuals.

As one of Privacy Shield’s mandated independent recourse mechanisms, the BBB’s EU Privacy Shield program is an important part of the agreement. Companies that self-certify their compliance with Privacy Shield must elect either to cooperate with European data protection authorities or select a private alternative dispute resolution service. The contact information for a company’s chosen IRM must be provided in its privacy notice for EU data subjects as an avenue for them to resolve their privacy disputes with the company. In the event of a valid Privacy Shield complaint against one of our participants, BBB EUPS provides independent third-party conciliation and arbitration options, enabling EU individuals to enforce their privacy rights in the United States.

Privacy Shield is both a straightforward and flexible means of demonstrating that your company meets the EU rules regarding transfers of EU personal data to the United States, including the relevant sections of the GDPR.

Compliance with the substantive requirements and the mandated privacy policy disclosures of Privacy Shield can also serve as an on-ramp for U.S. firms to advance their compliance with the GDPR. Participation in Privacy Shield is not sufficient for full GDPR compliance, and not all EU data subject rights conferred by GDPR can be enforced through Privacy Shield. However, for many companies, working with an IRM such as BBB EU Privacy Shield to ensure that your privacy notice and self-certification accurately reflects the data privacy practices and disclosures mandated by Privacy Shield can represent a significant step toward full compliance with the GDPR.

Suggested Articles


Avoid Misleading Messages When Advertising Medical Devices

Advertisers of medical devices face complex tasks when marketing their products. In addition to complying with FDA regulations, medical device advertising is subject to the same truth-in-advertising principles set by the FTC. In addition to express claims, marketers are responsible for all the messages reasonably conveyed to consumers in their advertising and should ask some important questions to ensure consumers are not misled. Ask yourself these questions when advertising medical devices to avoid conveying misleading messages.
Read more

The Do’s and Don’ts of Buying Smart for Baby: A Primer from Privacy Experts

Researching a new product and finding the critical or in-depth information you are looking for to build confidence in your purchasing decision often requires sifting through superficial lists of “best products.” These lists are often sponsored by the products they feature, which means instead of a focus on being helpful they are full of incentivized endorsements and affiliate links. In this blog, we provide a list – not a sponsored list – of some do’s and don’ts for how to confidently research smart devices.
Read more

When Web Designs Turn Into Dark Patterns And What To Do About It

Recently I wrote about the proliferation of dark patterns and tried to give readers a sense of just how widespread these practices are. But it is not just the pervasiveness of dark patterns that has lawmakers and regulators concerned, it is the intent behind them and their impact on consumers. Nonprofit leaders, in particular, should be aware of this and how to guard against it given that they are well-positioned to garner and enhance consumer trust.
Read more

Politics Aside, Advertising Gains Guidance on Deception and Substantiation in the 1980s

As we continue to celebrate the 50th anniversary of the National Advertising Division (NAD) we are looking forward while taking stock of past decades, with a special focus on decisions and developments that continue to impact advertising law and NAD cases today. This month we highlight two pivotal moments from the 1980’s that helped shape NAD’s jurisprudence.
Read more