The General Data Protection Regulation (GDPR) will come into force on May 25, 2018 and many are wondering how it will work with existing privacy arrangements, such as the Privacy Shield. One of the stipulations of the GDPR is that the personal data of people living within the European Union can only be transported to countries which have stringent data protection laws.
The stipulation is not satisfied by the US as a country overall, but the Privacy Shield was introduced in 2016 with the intent to ensure that eligible companies located within the US have sufficient protections in place to enable them to transfer personal data to and from EU countries.
What is the Privacy Shield?
The Privacy Shield is an agreement between the EU and the US which has been created to replace the previous Safe Harbour agreement, which was deemed invalid by the European Court of Justice in 2015. It is intended that the stipulations of the Privacy Shield will enable US companies to satisfy GDPR requirements to be able to transfer personal data to and from EU countries. Some aspects of the Privacy Shield are:
- Strengthened obligations for companies in the US to protect personal data that relates to people living within the EU.
- Personal data only to be used for specific purposes, with no general access available.
- Protection and redress available to citizens of the EU.
- Privacy Shield to be reviewed by both the EU and the US jointly on an annual basis.
You cannot really compare the Privacy Shield with GDPR, as one is a mechanism for ensuring that companies in the US comply with the requirements of the other. Both serve the same overall purpose; to protect the rights of people living within the EU, and ensure their rights freedoms are equally protected whether their data is treated in the EU or the US.
What is meant by consent under the GDPR?
One of the recurring issues with the European Data Protection Directive has been the definition of what constitutes consent. This is important as consent is one of the legitimate reasons for the holding and processing of personal data.
The wording of the previous European Data Protection Directive is such that different countries have been able to put more emphasis on assuring that consent is sufficient and legitimate. This situation is changing with the introduction of the General Data Protection Regulation (GDPR). Although the general meaning of consent remains unchanged, more definition is provided, in particular in regards to how it should be obtained.
What is this added definition?
There are two terms which provide added definition to the meaning of consent under GDPR when compared to the definition given in the Directive. These terms are:
This means that there is no doubt as to the intention of an individual to give consent for their personal data to be used for a specific purpose. If they agreed to it, then they were aware of what they were agreeing to as consent under the GDPR must be a separate action and distinct from agreeing to general terms and conditions.
- Statement or clear affirmative action
This means that an individual needs to take some sort of positive action in order for consent to be given. Previously used techniques of including pre-checked tick boxes, or counting a failure to act – such as silence or not unauthorizing data use – as consent, will no longer be sufficient.
The concept of consent being freely given is formalized with the arrival of the GDPR. An individual must give consent as a completely free choice, and opting out of giving consent must be easy to do.
The use of the service must also be independent of the person giving consent to use personal data, other than data required for the service to be performed.
This means that if a service requires a user’s name and telephone number to work, they cannot withhold providing the service because the user did not authorize the service to use their email address.
There will be significant sanctions which can be used against companies that do not comply with the GDPR, so it is important that all data protection professionals are up-to-date with what constitutes consent, enabling them to advise companies accordingly.
US companies wishing to process or providing processing services relating to EU data will need to review their obligations under the Privacy Shield and the GDPR. Otherwise, they may not be permitted to carry out their services, significantly impacting their business.