The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 — ushering into existence a strict privacy regime to control how organizations worldwide can collect, use, and store the personal information of EU citizens. GDPR violations can bring stiff penalties, so organizations everywhere must be mindful of its requirements.
In 2016, the EU-U.S. Privacy Shield framework was launched in response to a 2015 ruling by the Court of Justice of the European Union (CJEU). That ruling had invalidated Privacy Shield’s predecessor, the International Safe Harbor Privacy Principles, which had been used to govern data exchange between the United States and the EU (and Switzerland).
Although the Court of Justice subsequently invalidated the Privacy Shield framework in 2020, participants are still obliged to comply with some of its requirements.
Understanding the GDPR and Privacy Shield are necessary to protect the data privacy of EU citizens and be compliant with regulations. There are, however, important differences between the two rules. Those differences are explored in this article.
What Is GDPR?
The GDPR stemmed from increasing public concerns over privacy and how companies use consumer data in the Internet-driven information age. The GDPR includes provisions that require organizations to implement adequate safeguards to protect the data and privacy of citizens in the 27 EU member states.
The law also defines the rights of EU residents and consumers regarding the collection and use of their data. Those include the right to consent and the “right to be forgotten” — that is, the right to demand a company to erase one’s data.
Types of Data Protected by the GDPR
The word “data” under the GDPR encompasses a wide range of information, including:
- Personal identifiers, such as names, addresses, and national ID numbers
- Health and genetic data
- Racial and ethnic data
- Political opinions
- Web browsing cookies, IP addresses, and RFID tags
Who Is Subject to GDPR Compliance?
The GDPR is not limited only to companies operating in the EU. GDPR compliance applies to any company in any country that collects or processes the personal data of EU citizens — even if that company does not have a business presence in the EU.
Companies must also comply with the GDPR if they have:
- A presence in any EU country
- More than 250 employees
- Fewer than 250 employees but are involved in data processing for certain types of sensitive data
So as a practical matter, the GDPR affects data and privacy protection requirements on a global scale.
EU supervising authorities (SAs) can investigate cases of non-compliance and impose penalties and fines on non-compliant firms. These fines may be up to 4 percent of total global revenues or €20 million, whichever is greater. Those enforcing authorities (usually a national privacy regulator of some kind) may also require companies to implement corrective actions such as:
- Performing audits to ensure compliance
- Implementing specified improvements by prescribed deadlines
- Erasing certain collections of data
Privacy regulators may also block non-compliant companies from transferring data to other countries.
The GDPR places equal liability on organizations that possess the data (“data controllers”) and on third-party organizations that help data owners to manage the data (“data processors”). If processors aren’t compliant, their customer organization (that is, the data controller) is also considered non-compliant. Regulators may then impose the above penalties on both firms.
What Is Privacy Shield?
The EU-U.S. Privacy Shield framework was designed to allow U.S. and EU organizations to transfer data during the course of transatlantic commerce while still staying in compliance with U.S. and EU privacy regulations. While the EU has replaced Privacy Shield with the more stringent GDPR, the United States still enforces Privacy Shield.
Differences Between the GDPR and Privacy Shield
Both the GDPR and Privacy Shield have a common objective: to protect user data and privacy while allowing organizations to conduct business with minimal disruptions. Despite these similarities, they differ in the following ways:
The GDPR applies to all companies worldwide if they collect or store the data of EU data subjects. Privacy Shield only applies to U.S. companies doing the same.
The GDPR’s obligations are legally binding, so organizations cannot simply “opt out” of compliance. On the other hand, they can choose to comply with Privacy Shield by self-certifying their adherence to the U.S. Department of Commerce. The GDPR has no such voluntary self-certification process, and the steps for GDPR compliance are more rigorous.
Once Privacy Shield self-certification is complete, a company must remain in compliance with its requirements. Non-compliance penalties include removal from Privacy Shield, so the organization may no longer be allowed to receive personal data from the EU.
Enforcement of the GDPR is carried out by EU member states’ data protection authorities (DPAs) and by EU courts, including the EU Court of Justice; those regulatory enforcement actions and court judgments cannot be ignored.
The Privacy Shield framework is jointly controlled by the U.S. Federal Trade Commission (FTC) and the Department of Commerce, although enforcement responsibility lies with the FTC.
The GDPR can only be interpreted through EU courts, not by government representatives. In contrast, Privacy Shield can be interpreted outside the judicial system. Privacy Shield is reviewed annually by government representatives from the EU and the United States, and either party has the right to invalidate the framework.
Interpretation of Human Resources Data
Human resources (HR) personal data is interpreted differently under the GDPR and Privacy Shield. Under the GDPR, HR personal data is any employee data in the context of the employee-employer relationship; under the Privacy Shield, the term only refers to the data of employees within the same organization.
For example, when employee data is transferred to a third party, Privacy Shield considers it commercial data rather than personal data. GDPR considers employee data as personal data regardless of whether the data is transferred to another party. This difference in interpretation is a point of contention between the U.S. and EU review groups.
Penalties for Non-Compliance
Per the GDPR, regulators can reprimand, sanction, or impose fines on non-compliant companies. They may publicly name such companies and require them to conduct external audits. EU data protection authorities will also investigate data breaches that potentially resulted from GDPR non-compliance.
Privacy Shield non-compliance brings less attention and punishment. The Department of Commerce controls a list of U.S. organizations that have been removed from Privacy Shield. The Federal Trade Commission may impose penalties such as:
- Injunctive awards
- Cease-and-desist orders
- Removal of all personal data received under the program
- Civil actions
Let ZenGRC Help with GDPR Compliance
Strengthen the compliance posture and security of your organization with ZenGRC.
Instead of using spreadsheets to manage your privacy compliance requirements, adopt ZenGRC’s governance, risk, and compliance platform to streamline evidence and audit management for all of your compliance frameworks.
Leverage its integrated and automated system of record to ensure that your business systems and the data they hold are both compliant and safe. ZenGRC gives you complete views of your control environments and provides easy access to insightful reporting and dashboards to help you evaluate your compliance program and address critical risks.
If you’re looking to move from “check-the-box” compliance to compliance-driven security, let ZenGRC be your partner. Schedule a demo to learn about ZenGRC.