{"id":330,"date":"2020-09-06T23:48:29","date_gmt":"2020-09-06T23:48:29","guid":{"rendered":"https:\/\/cybersecom.co\/?p=330"},"modified":"2024-02-09T23:49:38","modified_gmt":"2024-02-09T23:49:38","slug":"the-romance-between-the-eu-and-the-us-regarding-gdpr-and-privacy-shield-the-data-privacy-affair","status":"publish","type":"post","link":"https:\/\/cybersecom.co\/index.php\/2020\/09\/06\/the-romance-between-the-eu-and-the-us-regarding-gdpr-and-privacy-shield-the-data-privacy-affair\/","title":{"rendered":"The Romance between the EU and the US regarding GDPR and Privacy Shield \u2013 The Data Privacy Affair"},"content":{"rendered":"<div class=\"wp-block-post-date\"><time datetime=\"2020-09-06T23:48:29+00:00\">September 6, 2020<\/time><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>The initial stage \u2013 when a couple agrees<\/strong><\/h3>\n\n\n\n<p>In 1948, when the United Nations created the&nbsp;<a href=\"https:\/\/www.un.org\/en\/universal-declaration-human-rights\/\" target=\"_blank\" rel=\"noreferrer noopener\">Universal Declaration of Human Rights<\/a>, whereby it acknowledged equal and inalienable rights for the human race such as; the Right to a Private Life and the Right to Freedom. This is back when the EU and the U.S. (as a couple) were in harmony<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The passion fading stage \u2013 when a couple goes separate ways<\/strong><\/h3>\n\n\n\n<p>The EU went ahead in the 1950s with the European Convention on Human Rights, and worked with OECD (Organization for Economic Co-operation and Development) to create&nbsp;<a href=\"https:\/\/www.oecd.org\/sti\/ieconomy\/privacy-guidelines.htm\" target=\"_blank\" rel=\"noreferrer noopener\">privacy guidelines<\/a>&nbsp;published in 1980. Then, the&nbsp;<a href=\"https:\/\/www.coe.int\/en\/web\/data-protection\/convention108-and-protocol\" target=\"_blank\" rel=\"noreferrer noopener\">Convention 108<\/a>&nbsp;was adopted in 1981, which is the first and still the only legally binding international instrument for Data Privacy.<\/p>\n\n\n\n<p>The EU then created the\u00a0<a href=\"https:\/\/eur-lex.europa.eu\/LexUriServ\/LexUriServ.do?uri=CELEX:31995L0046:en:HTML\" target=\"_blank\" rel=\"noreferrer noopener\">Data Protection Directive in 1995<\/a>, which was later turned into the General Data Protection Regulation, also known as\u00a0<a href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/data-protection-eu_en\" target=\"_blank\" rel=\"noreferrer noopener\">GDPR<\/a>.\u00a0It is important to know that the same principles on rights remains (which is a topic I discuss in another\u00a0<a href=\"https:\/\/cybersecom.co\/index.php\/2018\/05\/25\/how-gdpr-is-disrupting-the-global-privacy-law-and-benefiting-us\/\" target=\"_blank\" rel=\"noreferrer noopener\">article<\/a>\u00a0as well as in the\u00a0<a href=\"https:\/\/www.sap-press.com\/security-for-sap-cloud-systems_4908\/\" target=\"_blank\" rel=\"noreferrer noopener\">book I wrote<\/a>).<\/p>\n\n\n\n<p>Meanwhile, the U.S. (as of today) has privacy laws for specific industries (i.e. health care-HIPAA), while it lacks a privacy law at the federal level to protect individuals. To give you an example, in the U.S. adopted the consumer\u2019s&nbsp;<a href=\"https:\/\/www.ftc.gov\/news-events\/media-resources\/protecting-consumer-privacy-security\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy and Security which is enforced by the Federal Trade Commission<\/a>&nbsp;(FTC),&nbsp;while in the EU, the&nbsp;<a href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/data-protection-eu_en#european-data-protection-board\" target=\"_blank\" rel=\"noreferrer noopener\">European Data Protection Board<\/a>&nbsp;(EUPB) enforces the GDPR.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The reconciliation stage \u2013 when a couple mediates to find common ground<\/strong><\/h3>\n\n\n\n<p>In Chapter 5 of GDPR, it is determined that the processing of personal data in a third country can happen when the following exist:<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The European Commission determines that a country has an \u201cadequate level of protection\u201d<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Standard Contractual Clauses (SCC)<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Binding Corporate Rules (BCR)<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Derogation<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;International agreement<\/p>\n\n\n\n<p>The above creates challenges for U.S. companies because the United States, as a country, is not considered to have an \u201cadequate level of protection\u201d. SCC and BCR leave it up to individual companies to choose whether to comply.<\/p>\n\n\n\n<p>The solution back then was for the EU and the U.S. to come to an agreement and they did so by creating&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/International_Safe_Harbor_Privacy_Principles\" target=\"_blank\" rel=\"noreferrer noopener\">Safe Harbor<\/a>&nbsp;in 2000, which relied on companies to self-certify to the 7 principles agreed upon by both countries. In the Security and Privacy field, self-certify creates a bigger problem than it solves, and&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Snowden_effect\" target=\"_blank\" rel=\"noreferrer noopener\">the Snowden effect<\/a>&nbsp;made the EU feel cheated. Even after proposing thirteen recommendations, in 2015, Safe Harbor adequacy was&nbsp;<a href=\"https:\/\/curia.europa.eu\/jcms\/upload\/docs\/application\/pdf\/2015-10\/cp150117en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">deemed invalid<\/a>.<\/p>\n\n\n\n<p>In order to maintain the data flow between the EU and the U.S.,&nbsp;<a href=\"https:\/\/www.privacyshield.gov\/welcome\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy Shield<\/a>&nbsp;was created with checks and balances. However, in July of 2020, the EU\u2019s Court of Justice determined that&nbsp;<a href=\"http:\/\/curia.europa.eu\/juris\/document\/document.jsf?text=&amp;docid=228677&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=9745404\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy Shield was invalidated<\/a>&nbsp;due to a lack of the same level of protection to EU data subjects in the U.S. as they are under GDPR.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The next stage \u2013 communication and understanding will hopefully bring couples closer<\/strong><\/h3>\n\n\n\n<p>Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) are still untouched as of the latest ruling. For those companies relying on them, careful analysis needs to be carried out to determine how SCC applies on a case-by-case basis.<\/p>\n\n\n\n<p>Companies that rely on Privacy Shield will have to review their privacy practices and how they handle the international transfer between the EU and the U.S., including the possibility of using SCC and BCR (which requires additional work).<\/p>\n\n\n\n<p>Finally, all of us as data subjects and Privacy professionals who care about Privacy and Security should understand which companies rely on Privacy Shield and how they are handling your data in order to assess the risk.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Conclusions<\/strong>:<\/h3>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The EU has had many iterations of Data Privacy development, while the U.S. lacks Data Privacy at the federal level<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The EU does not consider the U.S. as having adequate privacy laws or the enforcement authority for international transfer, continuous agreement and rejection have been problems over the years.<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The EU sees data privacy as a human right, while the U.S. sees data privacy as a consumer right<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Companies relying on SCC and BCR are to be careful by analyzing cases on a case-by-case basis<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Those U.S. companies that rely on Privacy Shield must seek alternatives since it has been invalided.<\/p>\n\n\n\n<p>&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Data Subject and Privacy Professionals need to better understand how companies handle their personal data in order to evaluate the risks of using their services.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The initial stage \u2013 when a couple agrees In 1948, when the United Nations created the&nbsp;Universal Declaration of Human Rights, whereby it acknowledged equal and inalienable rights for the human race such as; the Right to a Private Life and the Right to Freedom. This is back when the EU and the U.S. (as a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":331,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[15,13,14,21],"class_list":["post-330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-insight","tag-eu","tag-gdpr","tag-privacy-law","tag-us"],"_links":{"self":[{"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/posts\/330"}],"collection":[{"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/comments?post=330"}],"version-history":[{"count":2,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/posts\/330\/revisions"}],"predecessor-version":[{"id":334,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/posts\/330\/revisions\/334"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/media\/331"}],"wp:attachment":[{"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/media?parent=330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/categories?post=330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecom.co\/index.php\/wp-json\/wp\/v2\/tags?post=330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}