Confused about Privacy: Untangling Safe Harbour, Privacy Shield, and GDPR
Privacy Shield a more formal compliance framework
The ‘borderless’ internet has created legal problems for nation-states across the globe. Tax laws have brought all sorts of problems for international businesses as well as tax authorities and governments.
The laws on privacy are no less challenging. In the UK, the Data Protection Act, as enforced by the ICO, has been the cornerstone of safeguarding privacy. International standards are bounded by Privacy Shield and the General Data Protection Regulation (GDPR).
It is an area of some confusion. Here we help to untangle it with some key facts about Privacy Shield and GDPR.
From Safe Harbour to Privacy Shield
Formerly known as Safe Harbour (‘Safe Harbor’), Privacy Shield lets American companies use a single standard for consumer privacy and data storage in both the US and Europe. Leaks by Edward Snowden showed that Safe Harbour was ignored by US government agencies; it also faced legal challenges. Tested in court, it was clear it needed revision and was redesigned to satisfy US and EU regulators, and re-named.
EU-US Privacy Shield - Key facts
- The Privacy Shield significantly improves oversight and enhances privacy protection for the data of EU citizens held by US companies. It is a ‘living framework’, with the US Department of Commerce, the Federal Trade Commission (FTC), and EU DPAs holding annual review meetings to discuss the functioning of and compliance with the Privacy Shield.
- The Privacy Shield strengthens cooperation between the FTC and EU Data Protection Authorities and the US Department of Commerce is equipped with new resources to supervise compliance with the Privacy Shield.
- EU citizens access to multiple routes to resolve issues, including through dispute resolution, and at no cost. US companies must participate in arbitration with EU individuals to find legal remedies to concerns.
- The Privacy Shield improves transparency regarding personal data use, strengthens protections and informs EU citizens comprehensively about their rights. It improves oversight and accountability of companies / third parties transferring and processing EU citizen data.
- The Privacy Shield helps the US government to better protect EU citizen data by increasing transparency, strengthening oversight and enhances judicial review of US signals intelligence activities. The agreement provides a specific channel for EU citizens to raise questions regarding signals intelligence activities relating to the Privacy Shield.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) enables the European Parliament, the Council and the European Commission strengthen and unify data protection for individuals within the European Union (EU). Formally adopted on 27 April 2016, it enters force on 25 May 2018.
GDPR - Key facts
- The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
- The GDPR widens the definition of personal data, bringing new kinds of personal data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
- The GDPR tightens the rules for obtaining valid consent to using personal information. The GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data.
- The GDPR introduces mandatory privacy impact assessments (PIAs) to identify privacy breach risks and minimise risks to data subjects. The inclusion of PIAs is mainly due to the influence of the UK’s Information Commissioner’s Office.
- The GDPR introduces a common data breach notification requirement harmonises the data breach notification laws in Europe. This intended to ensure organisations constantly monitor for breaches of personal data. Organisations need to notify the local data protection authority of a data breach within 72 hours.
- The GDPR introduces the right to be forgotten. Organisations are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected. They must delete data at the request of the data subject.
- The GDPR requires that privacy is included in systems and processes by design. Software development processes must factor in compliance with the principles of data protection. Essentially, all software will be required to be capable of completely erasing data.
- The GDPR allows any European data protection authority to act against organisations, regardless of where in the world the company is based. This enforcement is backed by significant fines of up to €20m or 4% of group annual global turnover.
Be clear about data privacy with HTL Support
Legislation is one strand of privacy. Another, perhaps more important one, is IT Security. HTL Support solutions are operated from data centres secured to ISO 27001, the internationally recognised standard for information security. Our data centres are UK only, which means data owned by UK companies that is stored with us is free from data sovereignty issues.
To find out more about how we can help you with IT Security and protect privacy, simply get in touch today.