The European Court of Justice declaring the US-EU Safe Harbor Framework to be invalid led to the adoption of the EU-US and Swiss-US Privacy Shield Frameworks in 2016, which provide a legal mechanism for companies to transfer personal data from the European Union to the United States. However, Privacy Shield is not recognised by a number of companies as being sufficient, and there are ongoing challenges to the framework in the EU Court of Justice.
In 2016, the EU approved the General Data Protection Regulation (GDPR), which is set to go into effect on 25 May 2018. If you operate a global business, work with third parties or operate an online marketplace in which you handle the personal information of EU citizens, then you need to know the differences between GDPR and Privacy Shield … and how you can prepare for its pending implementation.
Privacy Shield, along with the Safe Harbor provisions it superseded in 2016, is an agreement between the US and the EU/Switzerland to address the gaps in data protection that the EU identified. Privacy Shield provides a framework regarding the contractual obligations that need to be in place to ensure the appropriate protection for that citizen’s data and to ensure that it’s only used in a manner that the citizen provided it for. Yet, it is not without problems or shortcomings.
In a statement released by the EU on 18 October 2017, Justice Minister Vera Jourová said: “Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must also be ensured when personal data leaves the EU. Our first review shows that the Privacy Shield works well… but there is some room for improving its implementation.”
The recommended improvements include US authorities providing the Department of Commerce with more resources, such as personnel to retroactively monitor Privacy Shield certified companies to ensure compliance, so that only companies who are truly Privacy Shield compliant receive the certification. Worth noting is the fact that it is not a requirement to be Privacy Shield certified. If your company is involved in the handling and transfer of data that fits into this scenario, there are alternative routes that can be employed to ensure the correct and aforementioned contractual obligations are established, such as
- specific contract terms negotiated directly between the parties
- use of the EU Model Clause Contracts
- use of the Privacy Shield framework.
All three of these are valid options to businesses, and the absence of one does not mean your company is non-compliant or mishandling data in any way.
The main thing that companies need to be cognizant of is that the EU-US and Swiss-US Privacy Shield frameworks only deal with the transfer of the personal data of an EU citizen from the EU/Switzerland to the US, not other jurisdictions. GDPR, by contrast, is global, so a company that is Privacy Shield certified in the US but also handles EU citizens’ data within Asia may not be fully compliant, especially if the company does not have terms in place to address the requirements of GDPR.
GDPR applies to all organisations worldwide that
- provide goods and services to individuals within the EU (including free of charge)
- monitor those individual’s behaviour.
It was created to replace the Data Protection Directive 95/46/EC and is designed to harmonise data privacy laws across Europe, to protect and strengthen all EU citizens data privacy and to improve the way organisations approach data privacy. The steps to become GDPR compliant depend on individual businesses, the jurisdiction(s) they are operating in and the source of the personal information shared. There are some key tasks that each company should undertake, such as conducting a contract landscape review to ensure appropriate obligations are in place, a review and update of policies (especially the privacy and cookie policies) and review marketing processes and procedures such as collection of consents, to ensure they align with the new regulations.
The main challenges faced by organisations with regard to data protection policies are the complexity of the evolving requirements and the various interpretations. Scientist.com, an online marketplace connecting buyers and sellers of scientific services, works closely with pharmaceutical companies, emerging biotech companies, suppliers and individual researchers to ensure that our marketplaces are compliant with these evolving environments.
As a company that puts compliance at the heart of what we do, we take our responsibility to ensure that our clients and suppliers are protected in relation to their use of our marketplaces very seriously.
As there is no single global regulation regarding privacy, Scientist.com is working with an internationally recognised legal firm to implement an improved, compliant contractual landscape to ensure that the data transfers through our marketplace are protected to the highest standards following the implementation of GDPR. We suggest that all companies conducting business internationally do likewise.
