July 8, 2020

How does GDPR, EU-US privacy shield impact you?

How does GDPR and the EU-US Privacy Shield impact Australian businesses?

# Insights

Faced with global pressures over the legislation on personally identifiable information (PII), the electronic identity verification service providers must take control of this facet of its worldwide stance to back the implementation of highest levels of privacy and security.

Although it’s not surprising for US organisations to assume that the EU-US Privacy Shield and the GDPR have almost the same intent, they are actually very distinct legal mechanisms that provide two separate, if intersecting, purposes. The GDPR has more requirements for transporting PII to worldwide businesses compared to within the Union (Art. 44). One of these requirements is focussed on a suitability verdict, which is an adequate degree of protection as per Art. 45(2) – evaluating the entity’s regulations, surveillance agencies, and worldwide obligations. After spectacular legal events and challenging long-haul discussions, the Safe Harbor system connecting the EU and the USA was superseded by Privacy Shield on February 2, 2016.

The Privacy Shield is an attempt to facilitate secure PII movements outside the EU and via the US for business-related objectives. It does not simply substitute Safe Harbor; nonetheless, it offers a baseline on which to propose supervision and rectify, as well as a firmer rationale for repurposing. Non-EU organizations cannot just comply with the GDPR as a tool to allow the transportation of PII from the EU. While GDPR compliance is crucial under any circumstances, an authorized data transfer process, such as the Privacy Shield, must be put in place by the non-EU businesses as well. Privacy Shield is a significant part of any US business’ European privacy toolkit. When applied in combination with a sturdy and skillfully produced GDPR compliance strategy, the Privacy Shield can be a compelling — and cost-effective — tool. It is a cross-border data transfer method, which is determined by the Privacy Shield Principles and Supplemental Principles. The core objective of the Privacy Shield is to deliver ‘essential equivalence’ to the GDPR.

How does EU-US Privacy Shield relate to Australian Businesses?

The impacts of privacy shield also carry over to organisations that transfer data from the EU to the US where that data is further transported to other territories such as Australia. Australia does not have anything corresponding to the EU-US Privacy Shield agreement with any other country, so the responsibility of determining the equivalence of international privacy safeguards is on specific companies. This means that Australian Privacy Principles (APP)  entities who collect EU data, predominantly where it is being transported via the US, should analyse their existing measures with data exporters to ensure they have standard contractual clauses primed but also be aware that they will be challenged with additional requirements of commitment to data protection standards levied by the EU after the commencement of the Privacy Shield.

APP entities intending to transfer PII to Australia from the EU, via the US, must be ready to execute policies and procedures which permit them to meet the privacy criteria expected by the Directive.  If they do this, then they will be deemed compliant and may appeal flows of PII from the EU. It is vital to note that, being certified under the EU-US Privacy Shield can provide your business with a jump start on implementing the GDPR’s standards and also delivers legal transparency and focus on the EU’s data protection laws, but will not certify total GDPR compliance. Businesses should bear in mind that the EU-US Privacy Shield will be revaluated yearly and could alter. Hence, it is crucial to have a designated individual to stay up to date with all the revisions.

Data Zoo makes it easy to onboard and verify customers quickly

Get in touch and let us know how we can help