The Privacy Shield Scheme and the GDPR

Posted by Bill Tolson • January 3, 2018
Topics: Azure, Archive2Azure

01032018.jpgThe EU/US, Safe Harbor scheme, was struck down by the Court of Justice of the European Union (CJECU) in October of 2015 putting companies on both sides of the Atlantic in a difficult position - not having a process for legally transferring data out of the EU to the US. 

The new Privacy Shield Scheme was put forth in February 2016 and finally adopted in August of 2016. Privacy Shield, like the original Safe Harbor process, is an agreement between the EU and U.S. allowing for the transfer of personal data from the EU to the US.

 As of November 2017, 2,300 companies had joined the Privacy Shield. However, Privacy Shield has not been universally accepted by all European countries, localities, and courts and will no doubt face challenges as was the case with the Safe harbor scheme.

Regulations and directives

The General Data Protection Regulation (GDPR), which is set to come into effect in May 2018, is the new legal framework in the EU that replaces the current EU Data Protection Directive.

The question is; what is the difference between a directive and regulation? In fact, a regulation is law and therefore legally binding, whereas a directive is a recommendation and is not legally binding. This fact highlights that the GDPR (being a law), has huge liabilities if not followed by all European Union member states. The GDPR also applies to companies outside of the EU holding EU citizen personal data.

The eight rights guaranteed under the GDPR

  • Right to be informed - This provides transparency over how personal data is used.
  • Right to access - Provides access to your data, how it is used, and any supplemental data that may be used alongside your data.
  • Right to rectification - The right to have your personal data rectified if it Is incorrect or incomplete.
  • Right to erasure (or the right to be forgotten) - Your right to have personal data removed where there is no compelling reason to store it.
  • Right to restrict processing - You can allow your data to be stored but not processed. An example where you may want to invoke this right is if you feel that inaccurate data is stored awaiting rectification.
  • Right to data portability - You can request copies of information stored about you to use elsewhere, such as if applying for financial products across some
  • Right to object - You can object to how your data is processed. One example may be in that you object to your data being used by direct marketing organizations. If you object, the regulation specifies they must comply.
  • Rights to automated decision making and profiling - You can object to automated decisions being made based on your data. Automated means without human intervention. An example may be online shopping habits being determined based on previous online behavior. If an organization or processor breaches a condition, the penalties are high. Businesses currently face up to a fine of 20 million euros or 4% of their global turnover.

 Are GDPR and Privacy Shield compatible?

An interesting fact is that the GDPR does not even mention the Privacy Shield agreement.In reality, the GDPR has specific requirements that apply to the transfer of data out of the EU, including that the transfer can only happen to countries that have been deemed as having adequate data protection laws. So far the EU does not list the US as a country that meets that requirement. However, Privacy Shield is designed to designate member companies as meeting certain data protection requirements.

Said another way, Privacy Shield allows US companies with a presence in the EU or EU companies to meet specific data handling requirements of the GDPR. A point to remember is that the GDPR is a law with extremely high penalties if not followed, so it must take priority at all times.

Moving to the cloud does not have to put your data at risk

Many companies fear moving their data into a cloud due to the belief the cloud is some huge amorphous repository that stores data wherever there is available space. In reality, this is not the case.

For example, Microsoft Azure has numerous controls that allow you to designate how you collect, store, and use stored data. For example, Microsoft has installed data centers in 32 regions around the world so companies residing or doing business in the EU can designate in what regions their data assets can be stored.

 Archive360 has worked closely with Microsoft to ensure companies working with EU data can have peace of mind that they can fully comply with EU laws (and directives).

For additional information on this subject, please click on the following links:

Blogs:

Santa Seeks Exemption From GDPR

Beware – Your Sensitive Data May Be Copied During Migrations

Can You Hear Me Now? MiFID II Risks And Solutions