The EU-US Privacy Shield program was launched in early 2019 primarily as a response to two external causes; the ruling by the Court of Justice of the European Union (CJEU) which invalidated the Safe Harbour program in 2015, and the enactment of the General Data Protection Regulation (GDPR) introduced by the European Union in 2018.
The GDPR exists to protect the personal data of European Union citizens from misuse and abuse through a series of complex and intertwined legislative requirements. EU US privacy shield and the GDPR legislation are supposed to work together to help organizations in the US when transferring the personal data of EU data subjects, from the EU to the US.
This blog will explore the main differences between the EU US privacy shield and GDPR.
Privacy Shield Certification and GDPR
Data protection awareness and frameworks have increasingly become a topic of debate amongst legislators, consumers, and services providers. The most recent manifestation of data protection regulations came in the form of the European GDPR, which became law in 2016. Since then third party countries, which are countries outside the EU according to the regulation, have been in discussion with the European Commission formulating frameworks that can facilitate the transfer of personal data of EU data subjects to the target country.
In comes the EU US privacy shield, a framework designed for the purpose mentioned above. In short, the European Commission determined the EU US privacy shield to fit their requirements of data protection as per their adequacy determination.
The adequacy determination outlines what a third country must do in order to comply with the data protection requirements set out by the GDPR. Most of the requirements form part of the main principles of the GDPR found in the first part of the regulations manuscript some examples are, which are also outlined in the EU US privacy shield principles:
- Lawful reasons for processing (i.e why is the organization processing the data).
- Time period of data held (i.e it cannot be held longer than necessary, beyond the reason for processing).
- Processing of data is only being done to the extent to which it is necessary (i.e the organization only uses payment data for processing payments and not marketing unless strict consent is given).
- Processing of data is being conducted under proper security measures (i.e proper firewalls, encryption, overall a strong cybersecurity architecture).
These are only a few of the requirements set out by the European Commission to satisfy the adequacy determination. The result of an agreement between governments is a net positive for data-driven industries in both countries as quoted by the European Commission:
“The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.”
The European Commission has deemed the EU US privacy shield as an adequate framework of data protection which is in line with the standards set out by the GDPR.
Although the EU US privacy shield is a data protection framework, privacy shield certification and GDPR differ in subtle but important ways. In the next section, this blog will explore some primary differences between privacy shield certification and GDPR.
Privacy Shield vs GDPR
There are six notable areas of difference between US Privacy Shield and GDPR:
The GDPR is enshrined in law and therefore applies to every organization within the very broad scope of its application; one does not simply opt-out of the GDPR. It applies to all EU citizens and to non-EU citizens who are living within the EU.
EU US Privacy Shield is an opt-in self-certification program created to help US organizations to process the personal data of EU residents in accordance with the principles of the GDPR. Ostensibly it provides a framework for the protection of personal data flowing from the EU to the US.
The GDPR is actionable in courts of law and the highest authority within the EU regarding this law is the Court of Justice of the European Union (CJEU), where judgments carry the full weight of legal sanction and cannot be ignored.
The US Privacy Shield framework is under the dual control of the Federal Trade Commission (FTC) and the Department of Commerce (DoC), however, it is the FTC that carries the responsibility of monitoring and enforcing compliance with the Privacy Shield program.
A role in which the FTC is taking up with greater enthusiasm, as seen when in late 2019 five companies were investigated for falsely claiming that they had US Privacy Shield certification; one of the companies was found to have had a lapsed certificate. Privacy Shield Certification must be renewed annually.
3. Legal Interpretation
GDPR is a law and therefore it can only be interpreted through the courts rather than changed over time.
US Privacy Shield is reviewed annually by representatives of the governments of the EU and the US; both sides contribute to the review and suggest changes to bring Privacy Shield and GDPR closer in application.
A previous review led to the creation of the position of Privacy Shield Ombudsperson fulfilled by the U.S. Under Secretary of State for Economic Growth, Energy, and the Environment; Mr. Keith Krach. It is within the scope of the US Privacy Shield annual review for both parties; the US and the EU, to invalidate the Privacy Shield framework entirely; in effect to walk away.
4. Human Resource Data
One key difference between the US Privacy Shield and GDPR is in the interpretation of the definition of Human Resources (HR) data. The European Commission which represents the EU when dealing with Privacy Shield and GDPR defines HR personal data as:
‘Any personal data concerning an employee in the context of the employee-employer relationship.’
This means that any and all information about an employee-generated by an organization is to be treated as personal data.
In contrast, the US Department of Commerce interprets HR personal data as:
‘Only the processing of data of employees within the same organization.’
In practice, this means that the DoC considers the transfer of EU employee data to a US Privacy Shield certified organization as a transfer of commercial rather than personal data. This is a key area of contention within the review groups.
Sanctions for non-compliance or breach differ greatly between US Privacy Shield and GDPR since one is voluntary and the other mandatory.
The GDPR, through the involvement of the relevant Data Protection Authority (DPA’s) carries a possibility of reprimands, sanctions and fines, with the highest and most onerous of these being a fine for 20,000,000 Euros (about 22 million US dollars) or four percent of the annual global turnover of the organization; whichever is the lower amount.
There is also the ability for public naming of organizations that are found to be in breach of the GDPR, requirements for disclosure of certain internal organizational information, external audit, and more. The EU DPA’s have shown themselves very willing and able to investigate data breaches and failures in compliance by organizations with the end result being one of the above-mentioned sanctions.
US Privacy Shield currently enjoys less onerous sanctions however the annual privacy shield review provides scope for the Privacy Shield and GDPR sanctions to become aligned. Privacy Shield certification allows for the certified organization to be included on a publically available list of participating companies who are in compliance with the privacy shield principles.
Alternately there is also a publically available list of those organizations no longer in compliance and the sanctions for these organizations range from:
- Fines ($40, 000 per day in some cases).
- Suspension and the removal of a seal.
- Injunctive awards.
- Payment of compensation to affected individuals.
- The issuance of a Cease and Desist order.
Persistent failure to comply will mean removal from the Privacy Shield List and the subsequent return or removal of all personal data received under the Privacy Shield program.
The importance of the role of the Data Protection Authorities (DPA’s) is greatly highlighted in the GDPR legislation and their role is seen to be solely for the protection of sensitive and personal data; as the title suggests.
This importance is further emphasized by the increased powers afforded them by the GDPR; in effect, the DPA’s exist to uphold the law with regard to citizen’s personal data and function on behalf of the rights of the people. When a problem arises it is the DPA of the relevant EU member state that is notified and then takes the appropriate actions.
The Privacy Shield on the other hand is enforced by the FTC which has many responsibilities within its remit, of which protecting the personal data of EU citizens plays a very small part. Furthermore, the responsibility for upholding the Privacy Shield principles especially the Recourse, Enforcement and Liability Principle lies primarily with the organization dealing with the personal data; with the FTC only becoming involved at a later stage.
Disputes arising from within the EU will be first addressed to the relevant DPA who will, in turn, contact the FTC when a US Privacy Shield participating organization is involved.
Privacy Shield vs GDPR Table
|Is It Binding||No – only if you opt-in to the framework.||Yes – as long as you process data of EU data subjects.|
|Enforcement||Dual Control– split between FTC and DoC.||Single Court – the GDPR is actionable through the EU courts.|
|Scope||US Only – the framework only applies to US-based organizations that opt-in.||Worldwide – the regulation applies to all countries that process EU resident’s data.|
|Legal Interpretation||Changeable – the framework is under a yearly review and can be adapted with agreement by both countries.||Inelastic – being regulation remains relatively unchangeable and can only be interpreted through the courts (EU Court)|
|Sanctions||Situational – depending on the situation the sanctions can range from fines to civil action||Strict – the sanctions outline by the regulation remain rather strict with 4% of global revenue or $22 million|
|Authority||FTC – Federal Trade Commission||DPA’s – data protection authorities|
Privacy Shield and GDPR have their differences as explored in the above sections, but they are actually more similar than different. The overall goals of the privacy shield and GDPR are intended to protect the data of the individual. As mentioned in the first section, the adequacy determination according to the European Commission would have deemed the privacy shield framework as inadequate had there been irreconcilable differences between the framework and the GDPR.
It is important to understand the intention behind both the regulation and the framework is. The underlying objective is to facilitate a program of data protection that both satisfies the needs of the consumers and allows organizations to conduct business with minimal disruptions.
Although the introduction of both privacy shield and GDPR has shown to have some teething issues the long term view shows strong potential. The inherent potential is to create a market environment where cyber-conscious decision making becomes second nature to both consumers and service providers.
Benefit of Compliance
This then becomes the main motivator, or benefit of compliance, the increasingly cybersecurity conscious markets will expect the best from their service providers. Effectively, meeting the cybersecurity requirements may no longer just become a compliance measure, but soon become a tool to satisfy consumer demand.
With all this in mind, it is essential to understand the underlying intentions and similarities of the EU US privacy shield and the GDPR. Constant change in the regulatory field can be viewed as a hindrance to your business But there’s also hidden potential.
There is potential to be ahead of the curve, using opportunities like this to ultimately increase your bottom line. Tapping into the increasing demand for more cybersecurity conscious businesses who care about the handling of precious personal data, and inevitably their digital presence.
Whatever you choose to do, RSI Security is here for you. With a broad range of cybersecurity services, we can help with compliance from privacy shield and GDPR to technical writing to full cybersecurity architecture and implementation, book a consultation today!