The EU-US Privacy Shield is a framework for exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to allow US companies to receive personal data from EU organizations more easily, while complying to the EU privacy laws meant to protect EU citizens. The previous framework, called International Safe Harbor Privacy Principles was declared invalid in October 2015. Discussions about the new framework began immediately and on February 2nd, 2016 a political agreement was reached. On July 12th, 2016 the Commission adopted its decision on the Shield. The new arrangements include strong data protection obligations on companies receiving personal data from the EU as well as safeguards of US government access to data. An annual joint review is envisioned to monitor the implementation.
We know that the GDPR influences any entity that works with EU citizens, even if the entity did not collect the data. Taking into consideration the interconnected and vast online environment, it is obvious the GDPR has immense implications in many sectors and for many businesses. There are significant differences in how the US and the EU perceive privacy. The Article 29 Working Party has issued their opinion on a wide variety of issues from Internet of Things, Cloud computing and more. The GDPR puts a strong emphasis on how data is transferred to third parties, especially to non-EU countries and the US has never been on the green list due to its more relaxed privacy rules and rights. For example, the right to erasure is much more limited and can only be used in special cases, whereas the GDPR gives each individual this right in a much easier manner. The GDPR will bring with it a number of changes, not only to those organizations directly in processing personal data, but it is very possible it will bring changes to the EU-US Privacy Shield agreement. Discussions are still in place, so the topic should be closely monitored in the near future.