The Privacy Shield has been criticised for failing to provide adequate protection for EU individuals’ data.
This is the regulatory framework that American companies are guided by to transfer data to and from the EU.
It is a voluntary mechanism that US companies can use to legally send and receive data from the EU.
Businesses are strongly advised to sign up to the Privacy Shield, particularly if they plan to expand into Europe in the future.
Organisations that agree to process data under Privacy Shield are required to publicly advertise their compliance.
This shows they are committed to providing higher standards of data protection and that they are liable to strict fines if found to be in breach of them.
The introduction of the GDPR (General Data Protection Regulation) with its tougher protection laws has also raised concerns about the future of the Privacy Shield.
What is the Privacy Shield?
The EU-US Privacy Shield was agreed back in February 2016 and at the time, the European Commission declared in a press statement that it “will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.”
It was designed to replace the previous Safe Harbor agreement (‘International Safe Harbour Privacy Principles’) to ensure compliant data flows between the US and the EU.
It imposes stronger obligations for U.S. companies to protect the personal data of European citizens. It also calls for stronger monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission.
In much the same way as an adequacy agreement, it is a requirement by any third status country that is outside the reach of the GDPR.
The new framework promised to enforce tougher obligations on US companies, in particular the requirement to monitor and enforce data protections more forcefully and cooperate with EU data protection authorities.
All personal data moving from the UK to the US is governed under the Privacy Shield framework while at the same time obligating US companies to comply with the EU’s data protection requirements around the personal data of EU citizens.
The framework shows that the EU recognises the data protection laws of the third country as being robust enough to protect the data of EU citizens, and therefore eligible to receive EU data.
How it works
The Privacy Shield Principles that must be adhered to include notice, choice, accountability for onward transfer, data integrity and purpose limitation.
There are also several processes that must be followed, dealing with complaints, employee training, and disciplinary actions.
It must be renewed annually, is self-certified and the Privacy Shield site lists the certified companies.
The US FTC (Federal Trade Commission) is the agency overseeing the Privacy Shield. It has the power to bring fines against any company found to be in breach of the regulation.
They can issue administrative or court orders to compel an organisation to fix any violations.
If any organisation fails to comply with these orders, it can result in civil penalties of up to $40,000 for each violation, or $40,000 per day for ongoing violations.
If they continue to flout the regulation, they could have their eligibility revoked, preventing them from using the mechanism for data transfers.
The Department of Commerce will then remove the company’s name from the Privacy Shield List.
With the UK’s exit from the EU on the horizon, organizations should be looking at how their data is transferred from the UK to the US – whether internally among a company’s different locations or externally to different partners, as well as the notion of using the UK as a base for EU operations.
Companies in both the US and the EU post-Brexit will need to act to ensure that compliant data flows between the UK and US under Privacy Shield.
The UK government has said that whatever kind of Brexit happens, data can continue to flow from the UK to the U.S.
They say that there will be a transition period where current data protection agreements such as Privacy Shield will still be valid and unaffected until 2020.
If this, or a very similar, withdrawal agreement is put forward again, organisations in the UK and U.S. will continue as before but will need to be aware of updated guidance for how to prepare for what happens after any transition period.
In the event of a no-deal Brexit, the UK has said it plans to keep all the adequacy decisions the EU has made, including Privacy Shield, after it leaves.
Even when the framework was first implemented, it was regarded as inadequate, particularly in the context of US intelligence gathering.
And it has faced constant criticism for failing to provide adequate protections for EU individuals’ data.
While in Europe, the GDPR is robust and anyone failing to comply is faced with heavy fines and a risk of reputational damage, the U.S. has yet to implement a centralised data protection system.
California is soon to implement the CCPA and a few other states are moving towards implementing their own regime, but there is no nationwide data protection regulation in the U.S.
Many see the Privacy Shield as a compromise by the EU to deal with this on the part of the EU to overcome this ongoing inconsistency, so that at least there is some form of method allowing U.S. organisations to prove they can operate under a similar framework to GDPR.
There have also been concerns about the Privacy Shield’s ability to protect EU data.
The former European data protection supervisor, Giovanni Buttarelli, (who sadly died in August) had said that the European Commission needed to develop a longer-term solution for sharing data across continents.
He claimed the Privacy Shield was not robust enough to withstand sharing of data across the world and that several changes needed to be made for data to be shared reliably without putting that data or others’ privacy at risk. He also said that any new legislation should also consider data protection rights already considered by both governments and private companies in Europe.