The GDPR and Privacy Shield: Two Important Links in Your Privacy Compliance Chain

As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in full force. Over the past few months, we have seen companies around the world ramping up their data privacy efforts to meet the requirements of this important regulation. In the United States these efforts are often coupled with curiosity about how GDPR relates to the EU-US Privacy Shield agreement. From companies that already participate in Privacy Shield to those that are looking to add participation as part of their compliance efforts, many have questions about how Privacy Shield relates to their GDPR compliance obligations.

What is the GDPR? As its name suggests, the GDPR includes general rules covering many different aspects of data protection in the EU. (Note that “data protection” and “data privacy” are synonymous.) The regulation is meant to modernize and standardize data privacy rules across the 28 EU member states, mandating a more holistic integration of best practices for managing and securing personal data. Much of the basic framework of the GDPR, including its prohibition on transferring personal data to countries with less stringent privacy rules, is not new. What is new is the potential financial exposure of noncompliance. As you have likely heard, GDPR violations could come with massive penalties. Certain infringements could result in fines of up to €20 million or four percent of a firm’s global gross revenue, whichever is higher.

What does the GDPR mean for U.S. companies? The GDPR’s broad definition of “personal data,” coupled with its extraterritorial scope, mean that a wide variety of U.S. companies could be affected. Your compliance obligations are not restricted to whether your company has an establishment in the EU. Companies that are not physically present in the EU, but still track the online activities of EU individuals, or otherwise collect or receive the personal data of individuals in the EU in connection with an offering of goods or services in the EU, may also be subject to the GDPR.

EU-wide data protection rules do not stop at European borders. They also regulate transfers of data outside of the EU, requiring companies to demonstrate that similar privacy protections are in place wherever personal data is sent. Companies have a number of options for demonstrating that such “appropriate safeguards” are in place for data transfers to a particular jurisdiction. These range from adopting binding corporate rules or standard contractual clauses to following the guidelines of a European Commission “adequacy decision.”

This is where Privacy Shield comes in for organizations in the United States. Perhaps the most straightforward means for a company to lawfully transfer personal data out of the EU is to send it to a jurisdiction that the European Commission finds adequate in meeting EU privacy standards. U.S. regulators, through an ongoing dialog with their EU counterparts, have secured an “adequacy decision” covering the receipt in the United States of EU personal data, but only in limited circumstances. The resulting Privacy Shield agreement enables participating organizations to self-certify that they have aligned their internal privacy protections with EU data protection standards for personal data they receive, process, and share with business partners and vendors pursuant to the Privacy Shield Framework.

Privacy Shield provides for these equivalent privacy protections in the U.S. in a few ways. Most importantly, it requires U.S. participants to be transparent about their privacy practices. By making a public self-certification to the U.S. Department of Commerce, and setting forth their Privacy Shield-compliant privacy practices in a public privacy notice, companies commit to provide data protections to EU individuals that are then enforceable by U.S. regulators (primarily the Federal Trade Commission). Privacy Shield also sets up oversight and monitoring through the Commerce Department and creates a multilevel dispute resolution pathway for EU individuals.

As one of Privacy Shield’s mandated independent recourse mechanisms, the BBB’s EU Privacy Shield program is an important part of the agreement. Companies that self-certify their compliance with Privacy Shield must elect either to cooperate with European data protection authorities or select a private alternative dispute resolution service. The contact information for a company’s chosen IRM must be provided in its privacy notice for EU data subjects as an avenue for them to resolve their privacy disputes with the company. In the event of a valid Privacy Shield complaint against one of our participants, BBB EUPS provides independent third-party conciliation and arbitration options, enabling EU individuals to enforce their privacy rights in the United States.

Privacy Shield is both a straightforward and flexible means of demonstrating that your company meets the EU rules regarding transfers of EU personal data to the United States, including the relevant sections of the GDPR.

Compliance with the substantive requirements and the mandated privacy policy disclosures of Privacy Shield can also serve as an on-ramp for U.S. firms to advance their compliance with the GDPR. Participation in Privacy Shield is not sufficient for full GDPR compliance, and not all EU data subject rights conferred by GDPR can be enforced through Privacy Shield. However, for many companies, working with an IRM such as BBB EU Privacy Shield to ensure that your privacy notice and self-certification accurately reflects the data privacy practices and disclosures mandated by Privacy Shield can represent a significant step toward full compliance with the GDPR.