Is Privacy Shield Required For GDPR?

By Ketch / October 15, 2021

In a ruling made by the European Court of Justice last year, the Privacy Shield policy between the United States and the European Union was nullified. The decision had farther-reaching consequences than most people expected, especially regarding data protection in Europe.

Understanding The EU-US Privacy Shield

Based on the regulations brought forth by the GDPR, only data transferred within the EEA (Norway, Iceland, and Lichtenstein) and the European Union was to be considered unproblematic. 

However, supposing personal data happened to be transferred to a third country, the GDPR requirements state that there should be a comparable level of data protection in the recipient country. 

This was known as the Privacy Shield statute. In more standard terms, it was an agreement between the EU and the US designed to ensure the enforcement of this new level of data protection and replace the Safe Harbor regulation that was in place earlier but had been invalidated. 

This meant that even without the Privacy Shield, one would be allowed to receive personal data from the EU without additional legal measures.

Transfer Of Data To Third Countries

When it comes to GDPR and marketing, the transfer of data to third countries can only occur under the following conditions:

  • The transfer has to take into consideration the EU adoptions made to serve as adequacy decision parameters for countries such as Canada, Israel, Switzerland, Japan, Uruguay, Argentina, Faroe Islands, Isle of Man, Andorra, and New Zealand.
  • There has to be the presence of a legally binding agreement between authorities similar to the now invalid EU-US Privacy Shield.
  • There has to be a set of binding data protection rules and regulations within one or more companies.
  • One has to apply the standard data protection clause adopted by the commission, which aligns with the examination procedures referred to in Article 93 (2).
  • Adopt the code of conduct recommended by the supervisory authority.

One of the main advantages of the Privacy Shield was that it worked like an adequacy decision parameter. This meant that businesses could process the data without any more legal hurdles.

What Invalidating The EU-US Privacy Shield Meant

The decisions made by the European Court of Justice impacted various sectors of the marketing world, in particular, the internet. A wide range of online platforms such as Facebook, Twitter, Youtube, Google Maps, Social Plugin, and Google Analytics were all under US companies that had adopted the Privacy Shield.

If e-commerce website users implemented these new parameters, then data transfer to the USA could be possible. By nullifying the Privacy Shield, using e-services is no longer regulated by the privacy treaty that existed between the EU and the US.

Some Of The Alternatives To The Privacy Shield

If a destination country doesn’t have the right level of data protection, then any transfer of information has to be legitimized using other relevant safeguards. If the data subject gives their consent, then the transfer is possible. 

However, it is essential to state that the permission needs to be understandable, voluntary, and revocable. This means that it is not enough to inform the subject about data transfer in your privacy policy. 

They have to be provided with all the relevant information, and consent must be given before any transfer takes place. Data privacy software might be helpful in this regard.

Conclusion

Operating a website without any external content is next to impossible in today’s highly competitive market. However, to comply with the GDPR, it is a must that websites legitimize all their data transfer. 

Ever since the nullification of the Privacy Shield policy, it has become a necessity for businesses and marketing departments to align with the requirements.

Share this: