In this Blog we show how EU-US Privacy Shield registered companies can leverage it to meet key General Data Protection Regulation (GDPR) principles
EU-US Privacy Shield and GDPR Principles
24 April 2019
Despite ongoing uncertainties of the survival of the EU-US Privacy Shield as an available mechanism for cross-border data transfers, the European Data Protection Board extended its life for another year1.
This article describes how the Privacy Shield framework aligns neatly with key General Data Protection Regulation (GDPR) principles in place since 25 May 2018.
This table shows, at a glance, where the Privacy Shield and the GDPR line up:
|EU-US Privacy Shield||GDPR Article 5|
|Notice to include type of data collected, right of access and choice, conditions for onward transfer||Lawfulness, Fairness and Transparency|
|Policies (reflecting principles) are made public|
| Inform data subject of available recourses to pursue against data controller|
|Provide links to self-certification documents|
|Notice to include purpose of processing|
|Limit personal data to what is necessary for the specified purpose of processing|
|Data for intended use must be reliable (complete, accurate, current)||Data Accuracy|
| Protect data subject against adverse effects from automated decisions|
|Retained in an identifying way/identifiable only for as long as it serves the purpose of initial collection or subsequently authorized use (statistical analysis, public interest, journalism, scientific and historical research archiving principles apply)|| Storage Limitation|
|Use reasonable and appropriate security measures considering the risk involved in processing and the nature of personal data || Integrity and confidentiality|
There are nonetheless a number of gaps between the Privacy Shield and the GDPR. Here are some areas for EU-US Privacy Shield companies to consider having in place to achieve a higher degree of alignment with the GDPR requirements:
Almost a year since GDPR came to life, this risk-based regulation is still evolving. Take note of future lessons from others’ mistakes and react accordingly. Stay tuned for the next EDPB review and whether the EU-US Privacy Shield mechanism will be renewed again.
1EU-US Privacy Shield Second Annual Joint Review https://edpb.europa.eu/sites/edpb/files/files/file1/20190122edpb_2ndprivacyshieldreviewreport_final_en.pdf
© 2019 Karima Saini, CIPP/E & CIPP/US, CIPM & FIP
The information provided and the opinions expressed represent the views of the author and do not constitute legal advice nor can be construed as offering comprehensive guidance of the various EU member state data protection legislations, regulations or other statutory measures referred to herein.