The EU-US Privacy Shield & the GDPR
Under the EU’s GDPR (General Data Protection Regulation), EU residents’ data may not flow freely out of the EEA (European Economic Area), unless organizations in non-EEA countries can ensure “an adequate level of protection”. The most straightforward way of doing so is by being based in a third country with an ‘adequacy decision’. These are territories with legislation assessed by the European Commission as providing an acceptable level of protection.
Canada has been given such an adequacy decision for commercial organizations. Although US-based organizations do not have that privilege, the US has negotiated the EU-US Privacy Shield scheme (replacing the Safe Harbor scheme). This was designed to provide a basis for transferring data between the US and the EU that does not require the US government to put a new data protection regime in place.
Have a question? Speak to an expert
If you have any questions, or would like more information on GDPR compliance and the EU-US Privacy Shield scheme, get in touch with our GDPR experts who can advise you on which of our products and services are best suited to your needs.
Speak to an expert
How does the Privacy Shield scheme work?
Although retaining many elements of the Safe Harbor scheme, the Privacy Shield imposes stricter and more comprehensive data protection obligations on US organizations that handle EU personal data. For instance, it includes expanded privacy protection rights for EU residents and greater transparency around data collection and use.
US organizations can self-certify their adherence to the seven Privacy Shield principles. Read more about the registration process and requirements on the Privacy Shield website >>
Due to the Facebook-Cambridge Analytica data breach and the CLOUD Act, the future of the EU-US Privacy Shield is currently in doubt. It might be suspended if US authorities do not comply with the EU requirements. The alternative data transfer mechanisms are described below.
Alternative methods of data transfer
The European Commission has issued three sets of standard contractual clauses, and determined that organizations that use these offer sufficient safeguards for cross-border data transfer. It should be noted, however, that these are currently being reviewed by the European Court of Justice to decide whether they are adequate for protecting data subjects’ rights.
Two of the sets (controller-to-controller clauses) relate to the transfer of personal data from one organization to another, which then uses the data for its own purposes.
The third set (controller-to-processor clauses) relates to the transfer of personal data to a processor acting under the instructions of the controller, such as an organization that provides IT services or runs a call center.
Many countries within the EU used to require organizations that entered into a model contract to take an additional step of notifying the data protection authority of the existence of the agreement. These national requirements have largely been removed now the GDPR has come into effect.
BCRs (binding corporate rules)
BCRs, as set out in Article 47 of the GDPR, are a set of legally binding rules approved by a supervisory authority that allow a group of organizations to make intra-organizational transfers of personal data, including to offices based outside the EU. The GDPR requires national data protection authorities to recognize BCRs approved by any other authority within the EU, provided that they are:
- Legally binding and enforced by each member of the corporate group
- Legally binding on employees of the corporate group
- Give enforceable rights to data subjects.
Read about our Contract and Legal Services for expert help with model contracts and BCRs >>
How IT Governance can help you
We offer a comprehensive range of solutions, services, and expertise to help you meet your GDPR compliance objectives.
This concise guide is essential reading for US organizations wanting an easy-to-follow overview of the new regulations and the compliance obligations for handling EU residents’ personal data, including guidance on the EU-US Privacy Shield.
To comply with the GDPR, North American organizations will generally have to appoint a representative established in an EU member state. We can be your representative.
Get professional GDPR (General Data Protection Regulation) legal and compliance support to ensure your data protection documentation and commercial agreements conform to the Regulation. Our specialist legal and privacy team will help you to draft, review and update privacy notices, data protection policies, supplier contracts and international data transfer agreements.
Speak to an expert
Please contact our GDPR team for advice and guidance on our products and services.