With data protection-related activity bustling around the world–from “Brexit” and GDPR enforcement to the approaching CCPA and exciting developments in the APAC region–it’s understandable to lose track of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
What follows are responses to the most frequent Privacy Shield inquiries TrustArc is hearing from our customers.
Is Privacy Shield Still Valid?
Yes – in fact, Privacy Shield is fast approaching its three year anniversary on July 12th. Since its 2016 adoption, Privacy Shield has remained a sound, scalable and steady legal transfer mechanism for U.S. entities seeking to receive personal data from the EU and/or Switzerland (with two successive approvals from the European Commission’s annual review process).
What Happened with the Earlier EU Parliament Rumblings and the Successful Annual Reviews?
While the EU Parliament had indicated concerns with the Privacy Shield arrangement–the Parliament actually does not have the authority to determine the adequacy of the Privacy Shield program. This authority is reserved exclusively for the European Commission (EC).
In July of last year the EC’s Justice Commissioner stated that a Parliament-requested suspension was “not warranted,” and further indicated that Privacy Shield is of “vital importance” to commerce and has “vigorous data protection requirements.”
Moreover, in its December 2018 report to the European Parliament and Council, the EC concluded that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield,” while further noting the improvements to Privacy Shield’s functioning since its previous annual review, along with steps it will continue to monitor.
Did the GDPR Replace Privacy Shield?
No – personal data transfers outside of the European Economic Area (EEA) are a key component of GDPR and Privacy Shield provides a way for U.S. organizations to address this, as Privacy Shield represents the European Commission’s determination that the United States provides an acceptable level of data protection essentially equivalent to that of the EU.
Would Brexit Invalidate Privacy Shield?
No – with the deadline for the United Kingdom to exit the European Union having been extended to October 31st, EU law will remain applicable in the U.K. until such an exit takes place–with Privacy Shield continuing to apply to U.K. personal data as it always has.
In the event the U.K. does leave, two scenarios are possible for Privacy Shield participants, as the U.S. Department of Commerce has addressed in a set of FAQs. Either an existing “transition period” will be agreed upon by the U.K. and EU, during which EU data protection law (and Privacy Shield) will continue to apply; or, in the event of a “no-transition period” immediate exit, Privacy Shield participants will need to update their privacy notice(s) to include reference to also relying on Privacy Shield for transfers from the U.K. Regardless of which scenario may ultimately play out, the status of the EU-U.S. Privacy Shield Framework will remain unchanged.
Lastly, where a participant had selected the EU Data Protection Authority panel for dispute resolution purposes, in the event of an exit, the organization would have to instead cooperate with the U.K. ICO for U.K. residents’ complaints.
What Does It Mean that Standard Contractual Clauses Are Being Challenged in Court?
Pre-approved model or standard contractual clauses (SCCs), the existing versions of which pre-date the GDPR, are also recognized under GDPR as a valid data transfer mechanism to non-EEA “third countries.” According to the U.K. ICO, the European Commission plans to update the existing SCCs for GDPR alignment, but until such amendment or replacement the existing SCCs remain in force and usable. However, the validity of current SCCs as a transfer mechanism to the U.S. is currently being challenged in the European Court of Justice in a case brought by Austrian privacy advocate Maximilian Schrems.
The eventual conclusions around questions considered by the Court theoretically could invalidate SCCs as a EU-to-U.S. data transfer mechanism, and could also impact the status of the Privacy Shield Framework.
However, most critically, the Privacy Shield Framework itself was developed in direct response to the requirements outlined by the European Court of Justice in response to a previous case brought by Schrems which invalidated the Safe Harbor program. Compliance with these new requirements was assessed and approved by the European Commission as a condition of its successful adequacy determination, which as noted earlier, has been reaffirmed in two successive reviews by the Commission.
Are There Differences Between Privacy Shield and SCCs?
Yes — whereas Standard Contractual Clauses (SCCs) are transactional-based and apply only as-between the specific parties signing them, an organization’s Privacy Shield self-certification is applicable to the receipt of any EU/Swiss personal data flows. This can save time and cost for businesses (especially for SMEs and start-ups). Privacy Shield also affords individuals an independent recourse mechanism, which is beneficial for consumers, partners and employees.
In light of the above, Privacy Shield continues its status as a Commission-supported option for U.S. businesses seeking an established, cost-effective, scalable and agile means of protecting and receiving personal data from the EU and Switzerland.