Exporting data and the EU-US Privacy Shield
Since the 1995 European Data Protection Directive, organizations have been prohibited from transferring personal data outside of the European Union to a third country that does not ensure “an adequate level of protection.” There are several mechanisms available to US organizations that enable them to demonstrate that their privacy practices meet EU data protection requirements.
What is the Privacy Shield?
The EU-US Privacy Shield is a binding data transfer framework that governs the transfer, handling, sharing, and use of EU residents' personal data within the United States. Compared to the Safe Harbor, which it replaced in July 2016, the Privacy Shield imposes stricter and more comprehensive data protection obligations on US organizations that handle EU personal data.
While retaining many elements of Safe Harbor, the Privacy Shield includes expanded privacy protection rights for EU individuals, greater transparency around data collection and use, safeguards on how US authorities can access the data of European residents, and creates a framework for resolving disputes over misuse of personal data. More than 500 US organizations have signed up to the Privacy Shield, including Facebook, Google, and Microsoft.
Privacy Shield certification
The Privacy Shield enables US organizations to collect and handle personal data from EU countries after self-certifying their adherence to the protections set out in seven Privacy Shield principles. US organizations must:
- be subject to the investigatory and enforcement powers of the Federal Trade Commission, Department of Transport or other US statutory body,
- file a self-certification submission signed by a corporate officer,
- register with an independent recourse mechanism either in the US or the EU,
- have in place a verification mechanism to review and confirm compliance with the Privacy Shield principles—this can either be an internal self-assessment or third party assessment program,
- designate a point of contact for handling all questions, complaints, access requests and other issues relating to the Privacy Shield, and
- include links on their websites to the relevant parts of the DoC’s website, the Privacy Shield list and the website of the independent recourse mechanism with which they have registered.
Further details of the registration process are published on the
Privacy Shield website >>
The EU Commission has created three model contracts for data transfers (“Model Contracts”) and determined that organizations that use model contracts offer sufficient safeguards for cross-border data transfer as required by the Data Protection Directive.
Two of the sets of model contracts (the controller-to-controller clauses) relate to the transfer of personal data from one organization to another, which then uses the data for its own purposes.
The other model contract relates to the transfer of personal data to a processor acting under the instructions of the controller, such as a company that provides IT services or runs a call center (the controller-to-processor clauses).
Many countries within the EU currently require organizations that enter into a model Contract to take an additional step of notifying the data protection authority of the existence of the agreement. These national requirements will largely be removed when the GDPR comes into effect in May 2018.
Binding Corporate Rules (BCRs)
BCRs are a set of legally binding corporate rules approved by an EU data protection authority that allow groups of companies to make intra-organizational transfers of personal data, including to offices based outside of the EU. BCRs currently need to be approved by every European data protection authority that a member of the corporate group will operate in.
The GDPR simplifies the approval process by requiring national data protection authorities to recognize BCRs approved by any other authority within the EU, provided that they are:
- legally binding and enforced by each member of the corporate group,
- legally binding on employees of the corporate group, and
- give enforceable rights to data subjects.
It is likely that the use of BCRs will increase as a result of the GDPR.
EU GDPR & EU-US Privacy Shield – A Pocket Guide
This concise guide is essential reading for US organizations wanting an easy-to-follow overview of the new regulations and the compliance obligations for handling personal data of EU residents, including guidance on the EU-US Privacy Shield.