GDPR provides stricter and more thorough rules for collecting, storing, and using EU personal data, regardless of the country in which that data is processed, and because of this, Privacy Shield’s relevance has diminished. U.S. organizations that wish to become Privacy Shield self-certified may still do so, but the Framework does not provide the same level of personal data protection outlined by GDPR. What does this mean for you? This post highlights why GDPR is the new standard for personal data protection and has made Privacy Shield less relevant, as well as what companies can do to ensure they become—and remain—GDPR compliant.
Privacy Shield Did Not Provide Adequate Personal Data Privacy and Protection:
The Facebook-Cambridge Analytica Case
Privacy Shield has since its inception had a number of shortcomings, and faced criticism since its first EU review. The EU Parliament’s civil liberties committee also stated that its current agreement fails to meet an adequate level of protection. This lack of protection—including a Privacy Shield Ombudsperson position that remains vacant—is highlighted by the recent Facebook-Cambridge Analytica data breach. This breach compromised the data of 87 million people, 2.7 million of whom were EU citizens.
The social media giant had been Privacy Shield self-certified since 2016. The EU parliament has pointed to the case as a glaring example of why the U.S. must strengthen its personal data protection laws, and why self-certification does not necessarily lead to assured protection. Maximillian Schrems, the plaintiff whose 2015 case ruling invalidated Privacy Shield’s precursor, Safe Harbor, has also targeted Facebook for its questionable data flows under what Privacy Shield deems adequate.
How GDPR Has Made Privacy Shield Less Relevant
In an attempt to address these inadequacies and improve protection for anyone who submits personal data from inside the EU, the EU’s General Data Protection Regulation (GDPR) builds upon the 1995 EU Data Protection Directive. GDPR provides the most comprehensive set of rules for protecting and regulating how EU personal data is used.
EU Parliament has made it clear that GDPR is the new standard for personal data protection. On July 4, 2018, it voted on a non-binding resolution that called on the European Commission to suspend Privacy Shield unless the U.S. became fully compliant by September 1, 2018. However, the U.S. has not become compliant, and the European Commission has not responded with any retaliatory measures. The United States’ CLOUD Act (Clarifying Lawful Overseas Use of Data) has also raised concerns and presented new hurdles for European Parliament, noting that the Act may conflict with its personal data protection laws and violate civil liberties in the process.
GDPR Provides All-encompassing Personal Data Protection Guidelines, U.S. Data Laws are Piecemeal
Currently, the EU is unsatisfied with—and skeptical of—the United States’ lack of transparency regarding personal data protection. Bluntly, the EU sees personal data protection as a human right and the U.S. does not. This fundamental difference is one of the primary contributors to dissimilar data protection laws between the U.S. and EU.
Despite the U.S. government’s lack of a personal data protection plan that mirrors GDPR, public and private organizations in the United States must follow GDPR’s guidelines when collecting personal data of anyone inside the EU. If not, they run the risk of fines, penalties, or a loss of trust among those who support these organizations. Though at the Federal level the U.S. does not have a similar plan to GDPR, some states, including California and Colorado, have enacted GDPR-like personal data security legislation, perhaps setting the standard for more states to emulate.
How Businesses Benefit from Ensuring Personal Data Protection
Organizations should be mindful of GDPR’s requirements, and can benefit from creating an internal review team, or a Governance, Risk, and Compliance Committee (GRC). These bodies evaluate risks and provide solutions that include final risk mitigation to ensure personal data privacy and security. Under GDPR, most private businesses and public authorities are required to appoint a Data Protection Officer (DPO) to ensure that they are compliantly handling personal data.
For organizations operating in the digital age, trust is just as valuable as financial transactions; if clients and customers can’t trust the businesses they support, they will look elsewhere for products and services. Companies that adhere to GDPR guidelines are demonstrating to clients and customers that they are committed to protecting their personal data. Organizations can do so by:
- Documenting the personal data collected, where it came from, and its use—and only using it for the documented purpose
- Disclosing to data subjects how and why their personal data is being collected and processed
- Appointing a Data Protection Officer
- Contacting authorities within 72 hours (should a breach occur)
- Offering individuals the right to be forgotten
- Conducting regular internal audits and reviewing internal policies
Become—and Remain—GDPR Compliant
GDPR is the most comprehensive regulation to provide personal data protection. As its influence continues to spread, other countries will likely follow with similar guidelines; a worldwide agreement on what constitutes “adequate” privacy and security will be the next major step for personal data legislation.
Velocity Global has always valued its global clients’ personal data security—and that commitment to security and privacy is reflected in our GDPR relevant Information Governance Program. If you’re considering expanding your business and would like to learn more about this plan, reach out to Velocity Global today. Our full suite of global expansion services can help you navigate the complexities of international expansion, and ensure compliance with local regulations.