Shifting Ground for Data Privacy: The Latest on CCPA and Privacy Shield Laws

Image

March 1, 2023

GDPR? Old news. (We’ll just pass over the fact that many organizations have yet to reach compliance…that’s another story.) While hosting providers that advertise to European companies and individuals must comply with the EU law, there are other legal requirements that US-focused organizations have to consider, namely Privacy Shield and an upcoming compliance mandate in the state of California that is similar to GDPR itself.

Privacy Shield is an international law in flux, with EU lawmakers threatening to withdraw entirely if the USA does not enforce compliance. The California Consumer Privacy Act (CCPA) will go into effect in 2020.

What do these laws entail? And should your organization be concerned with these data privacy measures?

 

Privacy Shield in the Midst of EU-US Conflict

data privacy shield

Privacy Shield is an international agreement between the European Union and United States regarding data privacy and sharing. It has existed since 2016, when it replaced the Safe Harbor data sharing framework.

Companies that transfer personal data from the EU to the USA must self-certify with the US Department of Commerce that they comply with 23 requirements relating to the use and treatment of that data, in addition to mechanisms for request of that data and options for recourse by European citizens.

Privacy Shield may seem to have been superseded by the General Data Protection Regulation (GDPR), but in practice the two work in tandem. GDPR does go further in its protections than Privacy Shield, but it is enforced by European bodies rather than the US government.

However the United States has not been enforcing Privacy Shield compliance and has not appointed required officials, leading to the EU commissioner for Justice announcing an ultimatum to the US secretary of commerce: comply or the agreement will be suspended, in theory ending all data sharing between the US and EU, at least when related to personal information used in commercial purposes.

Meanwhile, the same plaintiff who brought down the Safe Harbor framework has turned towards Privacy Shield as well, leveling legislation that essentially claims information transferred under Privacy Shield does not have enough protections from United States surveillance policies or corporate practices. The European Parliament seems to agree, calling out the Facebook-Cambridge Analytica scandal as an example of how enforcement of Privacy Shield is lacking.

If Privacy Shield is retracted, there will likely be a lengthy process as a new international agreement is hammered out, resulting in new compliance standards for companies that process and transfer personal information between the EU and USA.