In 1998, the European Commission’s Directive on Data Protection began prohibiting the transfer of personal data from European Union countries to other countries that are not labeled as adequate under the EU standard for privacy protection. As this requirement could cause significant hurdles to international transactions between the US and the EU, including the creation and approval of US governmental data protection agencies, the US wanted a more efficient route for adequacy.
In 2000, the EU approved the EU-US Safe Harbor Framework, which allowed organizations to self-certify in order to quickly meet the data protection adequacy requirement of the EU and allow easier access to international trade. In 2015, the European Court of Justice deemed the US-EU Safe Harbor Framework invalid for determining the adequacy of data protection. In its place, the US Department of Commerce worked with the European Commission to create the EU-US Privacy Shield Framework, which the European Commission deemed sufficient to determine adequate data protection in 2016.
The Privacy Shield Framework has replaced the Safe Harbor Framework, and serves the same purpose of allowing for self-certification of adequacy, along with additional benefits. Also, in 2016, the General Data Protection Regulation (GDPR) went into effect, replacing the European Union’s Directive on Data Protection. The GDPR maintains the Data Protection Directive’s requirement of an showing of adequate privacy protections for transferring personal data out of the EU in Chapter V, but also allows alternative privacy safeguards like Privacy Shield Certification in place of a showing of adequacy.
First and foremost, certification with the Privacy Shield avoids issue with the GDPR when transferring personal data for the organization from the EU to the US. The Privacy Shield framework was created to address all of the substantive and procedural requirements of the GDPR, and was approved for this purpose, so participating organizations will pass the adequacy requirement of the EU included in the GDPR. Due to the current invalidity of the Safe Harbor Framework, organizations previously certified under Safe Harbor need to now self-certify under the Privacy Shield to use this benefit. While Privacy Shield Certification does not equal compliance with the GDPR, it is an accepted alternative that allows an organization to pass the adequacy standard of data protection.
The Privacy Shield also gives participants easy approval of EU data transfers, either waiving approval requirements altogether or granting automatic approval. The Privacy Shield was also built to allow easy and inexpensive compliance, made to help smaller-sized businesses find a way to participate in international transactions without needing to spend large amounts of resources otherwise seeking compliance with the GDPR. Using the Privacy Shield Framework is a quick and easy way to obtain a certification valid with the GDPR and begin making business transactions with personal data in the EU.
If you have questions about the Privacy Shield or GDPR and your company’s compliance therewith, Traverse Legal’s attorneys are here to help.
This blog post contributed, in part, by Traverse Legal’s Virtual Law Clerk Scott Pehoushek.