The EU-US Privacy Shield and Other Methods of Exporting Data from the EU under the GDPR
Under the EU’s GDPR (General Data Protection Regulation), EU residents’ data may not flow freely out of the EEA (European Economic Area), unless organizations in non-EEA countries can ensure “an adequate level of protection”. The most straightforward way of doing so is by being based in a third country with an ‘adequacy decision’. These are territories with legislation assessed by the European Commission as providing an acceptable level of protection.
Canada has been given such an adequacy decision for commercial organizations. Although US-based organizations do not have that privilege, the US has negotiated the EU-US Privacy Shield scheme (replacing the Safe Harbor scheme). This was designed to provide a basis for transferring data between the US and the EU that does not require the US government to put a new data protection regime in place.
Due to the Facebook-Cambridge Analytica data breach and the CLOUD Act, the future of the EU-US Privacy Shield is currently in doubt. It might be suspended if US authorities do not comply with the EU requirements by September 1, 2018. The alternative data transfer mechanisms are described below.
How does the Privacy Shield scheme work?
Although retaining many elements of the Safe Harbor scheme, the Privacy Shield imposes stricter and more comprehensive data protection obligations on US organizations that handle EU personal data. For instance, it includes expanded privacy protection rights for EU residents, greater transparency around data collection and use, and safeguards on how US authorities can access that data, and creates a framework for resolving disputes over misuse of personal data.
US organizations can self-certify their adherence to the seven Privacy Shield principles. US organizations must:
- Be subject to the investigatory and enforcement powers of the Federal Trade Commission, Department of Transport, or other US statutory body.
- File a self-certification submission signed by a corporate officer.
- Register with an independent recourse mechanism either in the US or the EU.
- Have in place a verification mechanism to review and confirm compliance with the Privacy Shield principles — this can either be an internal self-assessment or third-party assessment program.
- Designate a point of contact for handling all questions, complaints, access requests, and other issues relating to the Privacy Shield.
- Include links on their websites to the relevant parts of the DoC’s website, the Privacy Shield list, and the website of the independent recourse mechanism with which they have registered.
Further details of the registration process are published on the Privacy Shield website >>
Alternative methods of data transfer
The European Commission has issued three sets of standard contractual clauses, and determined that organizations that use these offer sufficient safeguards for cross-border data transfer. It should be noted, however, that these are currently being reviewed by the European Court of Justice to decide whether they are adequate for protecting data subjects’ rights.
Two of the sets (controller-to-controller clauses) relate to the transfer of personal data from one organization to another, which then uses the data for its own purposes.
The third set (controller-to-processor clauses) relates to the transfer of personal data to a processor acting under the instructions of the controller, such as an organization that provides IT services or runs a call center.
Many countries within the EU used to require organizations that entered into a model contract to take an additional step of notifying the data protection authority of the existence of the agreement. These national requirements have largely been removed now the GDPR has come into effect.
BCRs (binding corporate rules)
BCRs, as set out in Article 47 of the GDPR, are a set of legally binding rules approved by a supervisory authority that allow a group of organizations to make intra-organizational transfers of personal data, including to offices based outside the EU. The GDPR requires national data protection authorities to recognize BCRs approved by any other authority within the EU, provided that they are:
- Legally binding and enforced by each member of the corporate group
- Legally binding on employees of the corporate group
- Give enforceable rights to data subjects.
How we can help you
We offer a comprehensive range of solutions, services, and expertise to help you meet your GDPR compliance objectives.
GDPR products and services
EU GDPR & EU-US Privacy Shield – A Pocket Guide
This concise guide is essential reading for US organizations wanting an easy-to-follow overview of the new regulations and the compliance obligations for handling EU residents’ personal data, including guidance on the EU-US Privacy Shield.
Shop now >>
GDPR EU – Representative
To comply with the GDPR, North American organizations will generally have to appoint a representative established in an EU member state. We can be your representative.
Shop now >>
Speak to an expert
Please contact our GDPR team for advice and guidance on our products and services.
+1 877 317 3454