LEXR — News
by Anna Maria Tonikidou

Cross-Border Data Transfers: Does Your Business Need the Privacy Shield Certification?

The EU-US and Swiss-US Privacy Shield Frameworks provide companies with a data protection compliance mechanism when transferring personal data from the EU and Switzerland to the US for commercial purposes.

The basics: Cross border data transfers under the GDPR

Under the EU General Data Protection Regulation (GDPR), personal data can be transferred outside of the EU based on one of the following grounds:

  • A Commission Adequacy Decision, such as the one used to adopt the EU-US Privacy Shield;
  • Model Clauses, i.e. standard contractual clauses that offer sufficient safeguards on data protection for the data to be transferred internationally;
  • Binding Corporate Rules, namely internal rules for intragroup data transfers within multinational companies developed by the European Union Article 29 Working Party;
  • A derogation or exemption from the above, such as consent.

What is the EU-US Privacy Shield?

The EU-US Privacy Shield is recognized as an adequate transfer mechanism for transfers of personal data from the EU to the United States. Over 4600 companies have already certified, including Google, IBM, Facebook, LinkedIn, Twitter, and Microsoft.

Switzerland and the US have their own agreement, called the Swiss-US Privacy Shield, which mirrors the EU-US Privacy Shield agreement. Together with the Swiss Federal Data Protection Act, the Swiss-US Privacy Shield parallels the dynamic between the EU-US Privacy Shield and GDPR.

A look at the history: Where does the Privacy Shield come from?

The Safe Harbor Privacy Principles were jointly developed by the European Commission and the US Department of Commerce to allow for the personal data transfer under the previous EU privacy directive and were recognised by the EU Commission with a decision in 2000.

The Snowden effect in 2013 sparked calls to suspend the Safe Harbor Principles, and the Commission initiated a re-negotiation. While the negotiations were ongoing, Case C-362/14 Maximillian Schrems v Data Protection Commissioner was referred to the Court of Justice of the EU by the Irish High Court. In October 2015, the Court of Justice declared that the Safe Harbor framework "fail[ed] to comply with the requirements" of adequate protection as per EU privacy law and is therefore invalid.

To address the ensuing legal uncertainty, on 12 July 2016, the US Department of Commerce and the European Commission announced the launch of a new EU-US Privacy Shield framework to replace the former Safe Harbor Principles as a new transfer mechanism enabling transfers of personal data from the EU to the US.

On 12 January 2017, the Swiss Federal Government approved the Swiss-US Privacy Shield Framework as a valid legal mechanism to allow for the transfer of personal data from Switzerland to the US.

Why should companies obtain a Privacy Shield certification?

EU and Swiss companies require adequate safeguards when transferring their personal data abroad, and the EU-US and the Swiss-US Privacy Shields are a straightforward mechanism to allow for the such transfer to a US company. Therefore, if you as a US company receive personal data of EU and Swiss companies on a regular basis, the Privacy Shield self-certification process can prove more efficient than similar safeguards, such as the contractual Model Clauses.

Certification is especially useful for US companies in the following cases:

  • Regular receipt of personal data from various EU and/or Swiss companies;
  • Fostering business and consumer trust by means of a public self-certification; and
  • Processing of personal data, in particular HR data, of EU and/or Swiss group companies.

It is important to note that the Privacy Shield does not constitute GDPR compliance per se. It is simply a safeguard mechanism that allows EU and Swiss companies to transfer personal data to the US.

The seven Privacy Shield principles

The Privacy Shield sets forth seven commonly recognized privacy principles:

  1. Notice: Companies have to publish privacy notices containing specific mandatory information regarding their participation in the Privacy Shield and data privacy practices;
  2. Choice: Companies must establish a mechanism allowing data subjects to opt out of the disclosure of their personal data to third parties;
  3. Accountability for onward transfer: Privacy Shield certified companies are held accountable for the onward transfer of personal data to third parties acting as a data controller (i.e. determining the purposes and means of the processing) or acting as a processor;
  4. Security: Companies must adopt reasonable and appropriate security measures to protect personal data;
  5. Data integrity and purpose limitation: Companies must limit processing of personal data to the purposes for which it was collected;
  6. Access: Companies must provide a mechanism for responding to data subject access requests; and
  7. Recourse, enforcement and liability: Companies must provide a recourse mechanism for individuals affected by non-compliance. Compliance must be verified, and lack thereof must incur consequences.

The steps to ensure compliance with the Privacy Shield principles

  • The Privacy Shield calls for a number of steps to demonstrate compliance with the above principles, namely:
  • An internal compliance assessment and adoption of adequate controls, policies and procedures to cover any gaps identified during the assessment;
  • Designation of a Privacy Shield contact person;
  • An independent recourse mechanism (EU data protection authorities or a private sector dispute resolution service, depending on the type of data) to respond to complaints of EU data subjects; and
  • Development and publication of a Privacy Shield notice which illustrates the privacy practices of the firm.

At LEXR, we have developed a Privacy Shield Package to help you certify – contact us anytime for a free initial consultation.