GDPR Food for Thought: Privacy Shield

Michele Cohen, Veronica Jackson
Miles & Stockbridge P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

The EU General Data Protection Regulation (GDPR) took effect on May 25, 2018. Potential fines for violating the GDPR include up to four percent of an organization's annual profits or €20 million (approximately $23 million), whichever is greater. Despite the risks associated with failing to meet the GDPR standards, many companies are still working towards compliance.  

If you are among this group, it is critical to not give up but, rather, to focus on actively continuing efforts to achieve (and maintain) compliance.

In this next entry in our series on GDPR compliance action items, we look at the current status of the U.S. Privacy Shield, which is utilized by many U.S.-based companies to demonstrate adequate levels of personal data protection permitting transfer of such data from the EU and into the United States.

What is the EU-U.S. Privacy Shield: Privacy Shield was adopted in July 2016 as a replacement to Safe Harbor, a mechanism by which U.S. companies could show compliance with EU privacy protections, allowing transfer of personal data into the United States. In a 2015 decision by the European Court of Justice, Safe Harbor was determined to be inadequate for the protection of privacy. Thereafter, the European Commission and U.S. Department of Commerce established the Privacy Shield as a new legal framework under which transatlantic data could continue to be exchanged (a similar Swiss-U.S. Privacy Shield also exists).  Under the Privacy Shield certification process, companies must self-certify to the U.S. Department of Commerce, and to the public at large, the company’s commitment to compliance with the Privacy Shield requirements. Once a company makes this certification, the commitment is enforceable under U.S. law (through the Federal Trade Commission).

Privacy Shield is Endangered: The European Parliament passed a non-binding resolution on July 5, 2018, requesting that the European Commission suspend Privacy Shield.  Similar calls for suspension and/or outright revocation have been echoed by other European privacy organizations and agencies. The Parliament provided several reasons for recommending suspension, including the recent reauthorization of U.S. laws tied to collection of non-U.S. individuals’ personal data by U.S. intelligence agencies and access by U.S. law enforcement agencies to personal data stored in the EU.  Concerns also arose following discovery of the Facebook-Cambridge Analytica issue (which occurred despite Facebook being certified under Privacy Shield). While the Parliament’s resolution is non-binding in nature, the Commission is likely to take these concerns and recommendations into account during the Commission’s annual review and continuation of approval of Privacy Shield (due in September 2018).  

GDPR Impact: Even if the Commission elects to certify Privacy Shield for another year, amendments are likely to be made, as the original certification framework was based on the now defunct EU directive 95/46, which GDPR replaced when it took effect. Current opinion is that the Commission is unlikely to fully revoke or suspend Privacy Shield at this time but will push for changes to the scope and process of the framework both to address the concerns noted by the EU privacy groups and also to better align Privacy Shield with the regulatory structure of GDPR.  

Potential Actions: The calls for revocation and/or suspension of Privacy Shield highlight the continuing divergent views between the EU and the U.S. over the U.S.’s approach to privacy (both relating to commercial data collection and data collection for national security purposes).  If you are one of the more than 3,000 companies currently relying on Privacy Shield to demonstrate adequate data transfer protections, you should continue to monitor developments regarding Privacy Shield and consider additional and alternative methods of demonstrating compliance. This could include use of the EU Standard Contractual Clauses and/or other methods approved in the future by the EU regulatory authorities.

See our previous blog entries on Privacy Policies, Data Mapping, and Data Controllers and Data Processors.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Miles & Stockbridge P.C. | Attorney Advertising

Written by:

Miles & Stockbridge P.C.
Miles & Stockbridge P.C.
Contact
more
less

Miles & Stockbridge P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide