The Romance between the EU and the US regarding GDPR and Privacy Shield – The Data Privacy Affair

The Romance between the EU and the US regarding GDPR and Privacy Shield – The Data Privacy Affair

The initial stage – when a couple agrees

In 1948, when the United Nations created the Universal Declaration of Human Rights, whereby it acknowledged equal and inalienable rights for the human race such as; the Right to a Private Life and the Right to Freedom. This is back when the EU and the U.S. (as a couple) were in harmony

The passion fading stage – when a couple goes separate ways

The EU went ahead in the 1950s with the European Convention on Human Rights, and worked with OECD (Organization for Economic Co-operation and Development) to create privacy guidelines published in 1980. Then, the Convention 108 was adopted in 1981, which is the first and still the only legally binding international instrument for Data Privacy.

The EU then created the Data Protection Directive in 1995, which was later turned into the General Data Protection Regulation, also known as GDPR. It is important to know that the same principles on rights remains (which is a topic I discuss in another article as well as in the book I wrote).

Meanwhile, the U.S. (as of today) has privacy laws for specific industries (i.e. health care-HIPAA), while it lacks a privacy law at the federal level to protect individuals. To give you an example, in the U.S. adopted the consumer’s Privacy and Security which is enforced by the Federal Trade Commission (FTC), while in the EU, the European Data Protection Board (EUPB) enforces the GDPR.

The reconciliation stage – when a couple mediates to find common ground

In Chapter 5 of GDPR, it is determined that the processing of personal data in a third country can happen when the following exist:

–         The European Commission determines that a country has an “adequate level of protection”

–         Standard Contractual Clauses (SCC)

–         Binding Corporate Rules (BCR)

–         Derogation

–         International agreement

The above creates challenges for U.S. companies because the United States, as a country, is not considered to have an “adequate level of protection”. SCC and BCR leave it up to individual companies to choose whether to comply.

The solution back then was for the EU and the U.S. to come to an agreement and they did so by creating Safe Harbor in 2000, which relied on companies to self-certify to the 7 principles agreed upon by both countries. In the Security and Privacy field, self-certify creates a bigger problem than it solves, and the Snowden effect made the EU feel cheated. Even after proposing thirteen recommendations, in 2015, Safe Harbor adequacy was deemed invalid.

In order to maintain the data flow between the EU and the U.S., Privacy Shield was created with checks and balances. However, in July of 2020, the EU’s Court of Justice determined that Privacy Shield was invalidated due to a lack of the same level of protection to EU data subjects in the U.S. as they are under GDPR.

The next stage – communication and understanding will hopefully bring couples closer

Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) are still untouched as of the latest ruling. For those companies relying on them, careful analysis needs to be carried out to determine how SCC applies on a case-by-case basis.

Companies that rely on Privacy Shield will have to review their privacy practices and how they handle the international transfer between the EU and the U.S., including the possibility of using SCC and BCR (which requires additional work).

Finally, all of us as data subjects and Privacy professionals who care about Privacy and Security should understand which companies rely on Privacy Shield and how they are handling your data in order to assess the risk.

Conclusions:

–         The EU has had many iterations of Data Privacy development, while the U.S. lacks Data Privacy at the federal level

–         The EU does not consider the U.S. as having adequate privacy laws or the enforcement authority for international transfer, continuous agreement and rejection have been problems over the years.

–         The EU sees data privacy as a human right, while the U.S. sees data privacy as a consumer right

–         Companies relying on SCC and BCR are to be careful by analyzing cases on a case-by-case basis

–         Those U.S. companies that rely on Privacy Shield must seek alternatives since it has been invalided.

–         Data Subject and Privacy Professionals need to better understand how companies handle their personal data in order to evaluate the risks of using their services. 

Search

Popular Posts

Categories

Archives

Tags

APT breach China CISA Cloud CSF 2.0 EU fraud GDPR Hacking HIPAA Infrastructure NIST Privacy privacy law SAP Security Telcom Top10 US VPN World

Contact US

Book Appointment
Get More Info