Professionals interested in data protection will be well aware that the GDPR was recently published, allowing a two-year transition period from current privacy laws to the new regulation. They would have also read about Privacy Shield, and the controversy surrounding it.
What doesn’t seem to be too clear, though, is what the connection is between the two.
From what I have gathered, the GDPR will, from May 2018, control all processing of EU personal data, while Privacy Shield regulates the lawful transfer of such data from EU member states to the United States.
The GDPR is a new law that will cover all 28 EU member states, with extraterritorial jurisdiction over any company that processes the “personal data” of EU persons.
Current EU privacy laws regulate data privacy only in EU member states, and require equivalent protection mechanisms for data transferred outside of the EEA.
The GDPR will introduce a much wider geographical scope and regulate personal data of EU residents processed/stored anywhere in the world.
The GDPR, when enforced, will prohibit transfer of personal data outside of the European Economic Area (EEA) except where permitted under certain exceptions. Such exceptions are when data is transferred lawfully under acceptable cross-border data transfer mechanisms. These include model contracts, binding corporate rules (BCR) and, in all likelihood, Privacy Shield.
Safe Harbor replacement
Privacy Shield, when finally approved, will replace Safe Harbor, which was invalidated last October after the European Court of Justice ruled that Safe Harbor failed to provide sufficient data privacy protection to EU citizens whose data was sent to the United States. In providing a framework for the transfer of data, Privacy Shield incorporates all of the principal GDPR regulations that cover aspects such as access, disclosure, security and transparency.
Privacy Shield, however, has come under intense fire for not providing adequate protection for transferred data and its lack of surveillance protection from the US government. The European Data Protection Supervisor (EDPS) and the European Commission, known as the Article 29 Working Party (WP29), has rejected Privacy Shield, citing “an overall lack of clarity regarding the new framework as well as making accessibility for data subjects, organisations, and data protection authorities more difficult.”
Article 29 Working Party
WP29 has called for a glossary of terms to be added to Privacy Shield to clarify the application of important elements, such as commercial data retention and citizens’ rights to reject automated data processing.
W29’s opinion is not law, but often sets a precedent from which regulators establish their laws and practices.
While the EU GDPR and Privacy Shield have not yet been enacted, companies must start now to develop plans for protecting data across their corporate infrastructures. Those that adopt more robust privacy programmes will have an advantage over competitors that fail to take the necessary precautionary measures.
Get a head start over data privacy and protection mechanisms with IT Governance’s range of EU GDPR products and services, offering everything from an initial GDPR gap analysis or data flow audit, through to GDPR training, documentation toolkits and implementation manuals.