Privacy Shield Does NOT Equal GDPR Compliance
Once again, I will begin this blog with the caveat that I am NOT a privacy expert. However, even a single reading, some brief research, and little common sense makes it clear that Privacy Shield is more about keeping US-EU business moving than it is protecting the rights of data subjects. At least from the US side.
And I’m perfectly fine with that, because to a significant degree the GDPR is predicated on enabling business across the globe. However, the challenge is that this simply cannot be at the continued expense of a fundamental human right.
For example, what if I placed the following statement in my website terms and conditions; “To complete this sale I hereby agree to forgo my right to a fair and public hearing by an independent and impartial tribunal.” – Universal Declaration of Human Rights Article 10
Or; “Please check this box to accept that you are no longer permitted to marry or found a family.” – Universal Declaration of Human Rights Article 16
So why is this OK?; [paraphrasing] “You hereby agree that your personal data can be used for any purpose we see fit.”? – Universal Declaration of Human Rights Article 12
How would you like it if a merchant sold your personal details to an insurance company, and based on their profiling algorithm your rates went up? Or less extreme, how irritated are you when you contribute to a charity then get inundated with other charities begging for money because you’re a proven ‘soft-touch’?
The GDPR is designed to put the control of personal data back into the hands of its rightful owner; the data subject. But how can a US-based organization, not established in the Union, possibly comply with a Union law? And even if they DID want to, how could it possibly be enforced to the same extent?
The mechanism is called ‘adequacy’ (GDPR Recital 103 and Article 45); “A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.” In this case, the ‘third country is the US, and the ‘adequacy decision’ was rendered by the European Commission in their Commission Implementing Decision (EU) 2016/1250 on 12 July 2016.
Unfortunately, that decision was made “pursuant to Directive 95/46/EC” which is the soon-to-be-defunct Data Protection Directive (DPD), not the General Data Protection Regulation. What happens to the adequacy decision when the DPD is no longer in effect? Well, even if Privacy Shield didn’t continue on (which it will …for now), GDPR Article 46(2) would still have the answer. i.e. the same things required for any non-Union establishment will take effect; contracts, BCRs, standard clauses, certification, codes of conduct and so on. In other words, things that cover the entirety of GDPR. Not adequately cover, completely cover.
At this point, I think Article 46(2) would be the EU’s preference.
As for the chances of the current adequacy decision making its way seamlessly into the new regulation, the Article 29 Working Party were far from impressed in their First Annual Joint Review(28-Nov-17) to the point that; “In case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.” In other words, fix the major issues or we’ll recommend the adequacy decision be revoked.
But where does all of this leave US companies wanting to do business with the Union? Do they still self-certify to Privacy Shield and hope it remains mostly intact, or do they ensure the same controls that could claim ‘GDPR compliance’ are in place? What about EU-based organizations wanting to send data to the US for processing? Do they rely entirely on a demonstration of Privacy Shield certification even though Article 28(1) specifically states; “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” and they know full-well that Privacy Shield has gaps?
With only a week’s immersion in Privacy Shield, I am certainly not in a position to give advice, but I WILL throw out a couple of obvious warnings:
- If you’re an EU-based organization hoping to avoid some of the GDPR heavy-lifting by dumping all of your data to an US-based processor, I wouldn’t, you are still 100% liable;
- If you’re a US-based organization hoping to hide behind the Privacy Shield’s less strenuous requirements, you will be left behind when it either changes or gets entirely revoked
EU law will not go backwards to accommodate the relatively immature privacy laws in the US. Instead, the US privacy laws will need to evolve into something more acceptable to global expectations. While the GDPR is EU-specific, most of the rest of the world is going in fundamentally the same direction, and like it or not, business does not come first.
As consumers become more privacy-savvy, often despite themselves, it will only get tougher for organizations to not take privacy seriously. Like good customer service, it will be one the few differentiators between you and your GLOBAL competitors.
My advice is to start doing things properly now while you still have room to make mistakes.