The EU-US Privacy Shield
Under the EU's GDPR (General Data Protection Regulation), EU residents’ data may not flow freely out of the EEA (European Economic Area), unless organizations in non-EEA countries can ensure “an adequate level of protection”. The most straightforward way of doing so is by being based in a third country with an ‘adequacy decision’. These are territories with legislation assessed by the European Commission as providing an acceptable level of protection.
Canada has been given such an adequacy decision for commercial organizations. Although US-based organizations do not have that privilege, the US has negotiated the EU-US Privacy Shield scheme (replacing the Safe Harbor scheme). This was designed to provide a basis for transferring data between the US and the EU that does not require the US government to put a new data protection regime in place.
Have a question? Speak to an expert
If you have any questions, or would like more information on GDPR compliance and the EU-US Privacy Shield scheme, get in touch with our GDPR experts who can advise you on which of our products and services are best suited to your needs.
Speak to an expert
How does the Privacy Shield scheme work?
Although retaining many elements of the Safe Harbor scheme, the Privacy Shield imposes stricter and more comprehensive data protection obligations on US organizations that handle EU personal data. For instance, it includes expanded privacy protection rights for EU residents and greater transparency around data collection and use.
US organizations can self-certify their adherence to the seven Privacy Shield principles.
Read more about the registration process and requirements on the Privacy Shield website >>
Due to the Facebook-Cambridge Analytica data breach and the CLOUD Act, the future of the EU-US Privacy Shield is currently in doubt. It might be suspended if US authorities do not comply with the EU requirements.
Alternative data transfer mechanisms
If the US authorities do not comply with the EU requirements, alternative data transfer mechanisms will be needed:
The European Commission has issued three sets of standard contractual clauses, and determined that organizations that use these offer sufficient safeguards for cross-border data transfer. It should be noted, however, that these are currently being reviewed by the European Court of Justice to decide whether they are adequate for protecting data subjects’ rights.
Two of the sets (controller-to-controller clauses) relate to the transfer of personal data from one organization to another, which then uses the data for its own purposes.
The third set (controller-to-processor clauses) relates to the transfer of personal data to a processor acting under the instructions of the controller, such as an organization that provides IT services or runs a call center.
Many countries within the EU used to require organizations that entered into a model contract to take an additional step of notifying the data protection authority of the existence of the agreement. These national requirements have largely been removed now the GDPR has come into effect.
BCRs (binding corporate rules)
BCRs, as set out in Article 47 of the GDPR, are a set of legally binding rules approved by a supervisory authority that allow a group of organizations to make intra-organizational transfers of personal data, including to offices based outside the EU. The GDPR requires national data protection authorities to recognize BCRs approved by any other authority within the EU, provided that they are:
Read about our Contract and Legal Services for expert help with model contracts and BCRs >>
- Legally binding and enforced by each member of the corporate group
- Legally binding on employees of the corporate group
- Give enforceable rights to data subjects.
How IT Governance can help
IT Governance, a leading global provider of IT governance, risk management, and compliance solutions, is at the forefront of helping organizations address the challenges of EU GDPR compliance.
We offer a comprehensive range of solutions, services, and expertise to help you meet your GDPR compliance objectives.