The Privacy Shield Scheme and the GDPR
The EU/US, Safe Harbor scheme, was struck down by the Court of Justice of the European Union (CJECU) in October of 2015 putting companies on both sides of the Atlantic in a difficult position - not having a process for legally transferring data out of the EU to the US.
The new Privacy Shield Scheme was put forth in February 2016 and finally adopted in August of 2016. Privacy Shield, like the original Safe Harbor process, is an agreement between the EU and U.S. allowing for the transfer of personal data from the EU to the US.
As of November 2017, 2,300 companies had joined the Privacy Shield. However, Privacy Shield has not been universally accepted by all European countries, localities, and courts and will no doubt face challenges as was the case with the Safe harbor scheme.
Regulations and directives
The question is; what is the difference between a directive and regulation? In fact, a regulation is law and therefore legally binding, whereas a directive is a recommendation and is not legally binding. This fact highlights that the GDPR (being a law), has huge liabilities if not followed by all European Union member states. The GDPR also applies to companies outside of the EU holding EU citizen personal data.
The eight rights guaranteed under the GDPR
- Right to be informed - This provides transparency over how personal data is used.
- Right to access - Provides access to your data, how it is used, and any supplemental data that may be used alongside your data.
- Right to rectification - The right to have your personal data rectified if it Is incorrect or incomplete.
- Right to erasure (or the right to be forgotten) - Your right to have personal data removed where there is no compelling reason to store it.
- Right to restrict processing - You can allow your data to be stored but not processed. An example where you may want to invoke this right is if you feel that inaccurate data is stored awaiting rectification.
- Right to data portability - You can request copies of information stored about you to use elsewhere, such as if applying for financial products across some
- Right to object - You can object to how your data is processed. One example may be in that you object to your data being used by direct marketing organizations. If you object, the regulation specifies they must comply.
- Rights to automated decision making and profiling - You can object to automated decisions being made based on your data. Automated means without human intervention. An example may be online shopping habits being determined based on previous online behavior. If an organization or processor breaches a condition, the penalties are high. Businesses currently face up to a fine of 20 million euros or 4% of their global turnover.
Are GDPR and Privacy Shield compatible?
An interesting fact is that the GDPR does not even mention the Privacy Shield agreement.In reality, the GDPR has specific requirements that apply to the transfer of data out of the EU, including that the transfer can only happen to countries that have been deemed as having adequate data protection laws. So far the EU does not list the US as a country that meets that requirement. However, Privacy Shield is designed to designate member companies as meeting certain data protection requirements.
Said another way, Privacy Shield allows US companies with a presence in the EU or EU companies to meet specific data handling requirements of the GDPR. A point to remember is that the GDPR is a law with extremely high penalties if not followed, so it must take priority at all times.
Moving to the cloud does not have to put your data at risk
Many companies fear moving their data into a cloud due to the belief the cloud is some huge amorphous repository that stores data wherever there is available space. In reality, this is not the case.
For example, Microsoft Azure has numerous controls that allow you to designate how you collect, store, and use stored data. For example, Microsoft has installed data centers in 32 regions around the world so companies residing or doing business in the EU can designate in what regions their data assets can be stored.
Archive360 has worked closely with Microsoft to ensure companies working with EU data can have peace of mind that they can fully comply with EU laws (and directives).
For additional information on this subject, please click on the following links:
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.