In this Blog we show how EU-US Privacy Shield registered companies can leverage it to meet key General Data Protection Regulation (GDPR) principles
EU-US Privacy Shield and GDPR Principles
24 April 2019
Despite ongoing uncertainties of the survival of the EU-US Privacy Shield as an available mechanism for cross-border data transfers, the European Data Protection Board extended its life for another year1.
This article describes how the Privacy Shield framework aligns neatly with key General Data Protection Regulation (GDPR) principles in place since 25 May 2018.
This table shows, at a glance, where the Privacy Shield and the GDPR line up:
|EU-US Privacy Shield||GDPR Article 5|
|Notice to include type of data collected, right of access and choice, conditions for onward transfer||Lawfulness, Fairness and Transparency|
|Policies (reflecting principles) are made public|
|Inform data subject of available recourses to pursue against data controller|
|Provide links to self-certification documents|
|Notice to include purpose of processing||Purpose Limitation|
|Limit personal data to what is necessary for the specified purpose of processing||Data Minimisation|
|Data for intended use must be reliable (complete, accurate, current)||Data Accuracy|
|Protect data subject against adverse effects from automated decisions|
|Retained in an identifying way/identifiable only for as long as it serves the purpose of initial collection or subsequently authorized use (statistical analysis, public interest, journalism, scientific and historical research archiving principles apply)||Storage Limitation|
|Use reasonable and appropriate security measures considering the risk involved in processing and the nature of personal data||Integrity and confidentiality|
There are nonetheless a number of gaps between the Privacy Shield and the GDPR. Here are some areas for EU-US Privacy Shield companies to consider having in place to achieve a higher degree of alignment with the GDPR requirements:
- Updating systems and writing procedures to facilitate the new rights to erasure, restriction, data portability, objection to automated individual decision-making and profiling, to lodge complaints with a national supervisory authority, and then incorporating all that information into public-facing privacy notices (Art. 13-22, 77).
- Reviewing your data processor contracts to ensure they include the new GDPR accountability requirements (Art. 28, 29, 32(4), 82-84).
- Populating formal records of personal data processing activities (Art. 30) if the company is processing sensitive personal data or it has more than 250 staff members (board members and owners count toward the 250).
- Establishing privacy-by-design/default practices to minimise risks to the rights and freedoms of natural persons posed by the contemplated processing (Art. 25) and performing data protection impact assessments (Art. 35-36) before launching the product or offering the service in the EU.
- Training staff to understand and issue spot problems related to GDPR by creating bespoke curriculum or licensing ready-made data privacy courses to roll out periodically.
- Establishing reporting processes so that upon becoming aware of a personal data breach, data processors can report to data controllers as soon as possible (preferably within 24 hours), and data controllers can report to supervisory authorities and affected individuals within 72 hours (Art. 33, 34).
- Designating a representative in the EU if the company has no physical presence in the EU or appointing a data protection officer. They should be available to EU supervisory authorities and individuals (Art. 27, 37), plus getting budgets approved to source and support that role (Art. 38-39).
- When operating an information society service (e.g., social media platform, a website that is open to anyone as opposed to, say, a business email system), evaluate whether you need to implement parental consent controls if children are involved. Various EU national laws mandate ages between 13 and 16 as not needing parental consent (Art. 8).
Almost a year since GDPR came to life, this risk-based regulation is still evolving. Take note of future lessons from others’ mistakes and react accordingly. Stay tuned for the next EDPB review and whether the EU-US Privacy Shield mechanism will be renewed again.
1EU-US Privacy Shield Second Annual Joint Review https://edpb.europa.eu/sites/edpb/files/files/file1/20190122edpb_2ndprivacyshieldreviewreport_final_en.pdf
© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP
The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.