by Jim Ashton | Mar 22, 2018
More than a few companies are struggling with US personal data. One of our clients was even considering moving an entire data centre from its US office to the UK to become GDPR compliant.
The default setting for the US is that it is not GDPR compliant. However, US organisations that make use of a mechanism called Privacy Shield are GDPR compliant.
Privacy Shield eligibility is limited to any US organisation that is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT). If you aren't sure about your US company's jurisdiction, contact the Privacy Shield team at [email protected]
To secure GDPR compliance for your US personal data transfer you should use Privacy Shield or an alternative called Model Contract Clauses. Read on for more about these two.
The GDPR article determining transfers and processing using Privacy Shield is "Article 45 - Transfers on the basis of an adequacy decision" which states:
"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."
The European Commission has so far recognised Andorra, Argentina, Canada (limited to commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.
The EU-US Privacy Shield decision was adopted on July 12 2016 and the Privacy Shield framework became operational on August 1 2016. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers.
Privacy Shield self-assessment enrolment
Establishing the Privacy Shield is straightforward. The following how to prepare and self-certify sections explain what to do.
How to prepare
How to self-certify
Annual registration cost
The following table shows current revenue based enrolment price bands (source https://www.federalregister.gov/documents/2017/04/04/2017-06437/amendment-to-the-privacy-shield-cost-recovery-fees).
|Organization's annual revenue||EU only||EU and
|$0 to $5 million||$250||$375|
|Over $5 million to $25 million||$650||$975|
|Over $25 million to $500 million||$1,000||$1,500|
|Over $500 million to $5 billion||$2,500||$3,750|
|Over $5 billion||$3,250||$4,875|
Privacy Shield deals with transfers between the US and EU and the US and Switzerland separately. If you don't transfer personal data between the USA and Switzerland, you pay the EU only fee.
Either way, setting up Privacy Shield is much cheaper than moving a data centre.
Model Contract Clause (MCC)
The alternative is the use of a Model Contract Clause. This is free, but it may be more difficult to implement because a) Privacy Shield exists, b) considering the content and wording, lawyers will probably get involved and c) the text in the MCC cannot be changed. It can be added to as long as the additions do not alter the original meaning.
The governing text for MCCs is in Article 46, point 2 c) and supplemented by GDPR recitals 108 and 109 which state:
"(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission (MCC), standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority."
"(109) The possibility for the controller or processor to use standard data-protection clauses (MCC) adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects."
Privacy Shield and MCCs are both legal vehicles for transferring and processing data between the UK and USA. Both require some up-front work to ensure that adequate organisational and technical measures are in place.
- You must use one of them to be GDPR compliant.
- Privacy Shield is a GDPR recognised mechanism, is easy to implement but it has an annual cost.
- The MCC has no annual cost, is a legal structure that may need a lot of explanation and is totally inflexible.
- Either one is acceptable.
- You make the choice.
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?