Privacy Shield vs GDPR

The EU-US Privacy Shield and GDPR share similar aims – To ensure the privacy of EU citizens is protected, but how does one relate to the other, and does compliance with the Privacy Shield mean organizations are compliant with GDPR?

GDPR and its predecessor, EU Directive 95/46/EC, do not permit EU companies to share the private data of EU residents with other countries unless those countries have adequate privacy laws that ensure the personal data of EU residents will be protected.

There are many countries that lack appropriate privacy laws. Sharing the data of EU residents with companies in those countries is therefore not permitted under EU law. The United States is one such country where privacy protections do not meet EU standards. The EU-US Privacy Shield framework was introduced as a way to allow EU companies to share data with companies in the United States.

The EU-US Privacy Shield framework was adopted by the European Commission on July 12, 2016. The new framework replaced the International Safe Harbor Privacy Principles framework, which was declared invalid in October 2015 as it did not include sufficiently strict data protection requirements.

The Privacy Shield Framework is far stricter, although voluntary for U.S. companies. If companies in the United States are certified under the EU-US Privacy Shield, they are deemed to have adequate controls to protect the data of EU residents, thus allowing the data of EU residents to be transferred out of the EU to those companies.

EU-US Privacy Shield vs GDPR

How does the Privacy Shield and GDPR compare? The Privacy Shield and GDPR serve similar purposes, although it is difficult to compare the two as they are not equivalent and are different legal instruments.

The Privacy Shield is also voluntary whereas GDPR applies to all companies who receive, process, store, and transfer EU citizens’ data. Being certified as compliant with the EU-US Privacy Shield will allow a company to receive data on EU citizens from EU companies but being compliant with GDPR will not.

Many companies that have adopted the EU-US Privacy Shield framework and been certified may mistakenly believe that they are in compliance with GDPR, but that is unlikely to be the case. Compliance with the requirements of the Privacy Shield does not mean an organization is compliant with GDPR.

The EU-US Privacy Shield is only concerned with one thing: The transfer of the personal data of EU residents from the European Economic Area and Switzerland to the United States. There are some requirements of the Privacy Shield that match with the requirements of GDPR, although GDPR is more far reaching and includes additional requirements for U.S companies.

Companies in the United States that are certified as meeting the requirements of the EU-US Privacy Shield will certainly be closer to compliance with GDPR than organizations that are not, as the principles of the EU-US Privacy Shield align with GDPR principles. However, it is essential that the requirements of both the EU-US Privacy Shield and GDPR are studied and a gap analysis performed to determine any additional measures required to comply with GDPR.

With the compliance date for GDPR compliance fast approaching, U.S. companies need to act quickly. It is important not to underestimate the level of work that may be required to comply with GDPR.