As a result of the European Union (EU) General Data Protection Regulation’s (GDPR’s) extraterritorial reach, a U.S. business that controls or processes personal data of EU citizens may be subject to the GDPR. Over 5000 companies have opted to self-certify to the U.S. Privacy Shield Framework to become deemed GDPR compliant.
What Is the GDPR?
The GDPR came into effect on May 25, 2018 and is an EU regulation that requires businesses to protect EU citizens’ privacy and personal data. It also grants several rights to individuals with respect to their personal data:
Access
Update
Opt out
Erasure
Portability
For more details, see my May 23, 2019 blog post: GDPR: 1 Year of Non-Compliance.
What Is the Privacy Shield Framework?
The Privacy Shield Framework is a mechanism for a U.S. company to comply with the GDPR when transferring personal data from the European Economic Area (EEA) to the U.S. There are two Privacy Shields: EU-U.S. and Switzerland-U.S. American companies join the Privacy Shield by self-certifying to the U.S. Department of Commerce (DoC) and publicly committing to comply with Privacy Shield requirements.
Although joining the Privacy Shield Framework is voluntary, once a U.S. company commits to participate in the Privacy Shield that commitment is enforceable under U.S. law. The DoC coordinates with EU Data Protection Authorities (DPAs) to ensure compliance.
As with the GDPR itself, the Privacy Shield provides privacy and security protections for EEA and other individuals. It also provides enhanced complaint resolution for EEA citizens.
The 7 Privacy Shield Principles
The seven Privacy Shield Principles form the core of the Privacy Shield Regime:
Notice: Publication of a privacy notice that includes the company’s collection and use of data, who it shares data with, data access rights, company contact information, independent resolution body contact information, and more.
Notice: Publication of a privacy notice that includes the company’s collection and use of data, who it shares data with, data access rights, company contact information, independent resolution body contact information, and more.
Choice: Opportunity for an individual to opt out of their personal information and opt in for their sensitive information being disclosed / used in certain ways.
Accountability for Onward Transfer: Requirement that the U.S. company enter into contracts with third parties that ensure that third party service provider adheres to the Privacy Shield Principles
Security: Measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation: Limitations on using data for its intended purpose and length of retention and an obligation to ensure the data is reliable, accurate, complete and current.
Access: Process by which an individual can access her information and correct, amend or delete inaccurate data or processed in violation of the Privacy Shield Principles.
Recourse, Enforcement and Liability: Mechanisms for compliance with the Privacy Shield Principles including recourse for individuals who are affected by noncompliance, and consequences for the organization’s noncompliance.
For full details on the seven Privacy Shield Principles and the equally binding 16 Supplemental Principles: https://www.privacyshield.gov/EU-US-Framework.
EU-U.S. v Switzerland-U.S. Privacy Shield Framework
There are minor differences related to the specific Supervisory Authority, dispute resolution fees, grace period, and categorization of “sensitive data.”
Next Steps
It is possible that your existing policies adequately cover issues raised by the GDPR. However, it is necessary to undertake a review of internal and external processes to determine if GDPR-specific policies should be implemented. The mapping of data should include internal sharing and storage along with the mapping of data flows to third-party service providers.
The following are some of the issues to address:
Map data flows.
Review controls / conduct risk assessment.
Obtain informed consent from clients: opt in not opt out.
Review and amend existing vendor agreements re: breach liability.
Train management team and staff.
Create a data protection plan or review and update existing data protection plan.
For assistance, please contact me via my contact page or at elizabeth@elizabethmcmorrowlaw.com.