A Comparison of the Privacy Shield and the GDPR
With the introduction of the General Data Protection Regulation (GDPR) fast approaching, many are wondering how it compares to or will integrate with other privacy and security laws and agreements, such as the Privacy Shield. As the GDPR will come into effect on May 25, 2018, it is important to clear up any confusion as quickly as possible.
A central goal of the GDPR is to ensure that the personal data of people in the European Union (EU) will be protected, and that any storage or processing of this data will only be done in countries that have very strict legislation governing data protection.
Currently, the legal safeguards and frameworks that exist within the United States (US) do not reach the standards required by the EU and the GDPR. This would mean that businesses and organizations based in the US would not be permitted to process data from EU countries. The Privacy Shield agreement was made to allow individual US based organizations to prove that their data protection procedures are at a high enough level to allow them to process data from EU countries.
How Does the Privacy Shield Work?
The Privacy Shield agreement was made to replace the Safe Harbour agreement that existed between the EU and the US. By meeting the criteria of the Privacy Shield agreement, US companies and entities should be able to receive, process, store, and transfer EU data in a GDPR-compliant fashion. Some of the elements that must be in place include:
- Stronger data protection obligations placed on US entities when dealing with data relating to individuals based in the EU.
- The processing and use of personal data must be strictly limited to defined goals – no general access or use is permitted.
- Individuals within the EU are protected from harm and have the capacity to seek compensation, damages, or an indemnity.
- An annual review of the Privacy Shield is to be conducted by both the EU and the US to ensure viability and purpose.
To compare the Privacy Shield with the GDPR is not really possible, given that one only exists as a means to determine compliance with the other. The overall aim of the two is the same: to ensure data protection for people in the EU.
What is Meant by Consent in the GDPR?
The GDPR will repeal and replace EU Directive 95/46/EC – The Data Protection Directive. An element of this Directive that caused confusion concerned what exactly constituted consent. Consent and correctly receiving it is a critical aspect of legally processing data as consent is one of the legitimate reasons to allow an organization to store or use personal data. The way the current Directive is written led some member states to emphasize different aspects of consent and how it should be sought. The GDPR should facilitate a more harmonious approach to this area by introducing more detailed definitions, while the general understanding of “consent” itself will not be changed.
What Definitions have been Added?
Let us review the two definitions relating to consent:
Directive 95/46/EC: “The data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.
GDPR: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
The GDPR definition adds the term “unambiguous” to its definition, but this is actually present in Article 7 of the Directive – “Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent…”
The GDPR definition also introduces “by a statement or clear affirmative action”. This addition is much more important. Individuals must now take action to provide consent. As the GDPR also states, “silence, pre-ticked boxes or inactivity should not […] constitute consent”. This means individuals must check boxes themselves, orally affirm their consent, press a button, or perform some other active measure to provide consent.
The notion of “freely given” has also been updated. As well as instances where an imbalance of power between parties may affect free will, the GDPR notes “consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.
US based companies, or those looking to utilize the services of such companies should closely review both the GDPR and the Privacy Shield agreement. All companies involved in collecting or processing data from individuals in the EU should ensure that consent received in the past is GDPR compliant and that procedures for gathering consent meet the necessary standards. Not doing so could result in non-compliance and heavy fines.