“EU-US Privacy Shield” is a big topic at the moment – but what is it really about?
What is the EU-US Privacy Shield?
In summary, the EU-US Privacy Shield serves to transfer personal data of European citizens to US companies in compliance with the European General Data Protection Regulation (GDPR).
The EU-US Privacy Shield was established for this purpose on July 12, 2016 by a decision of the European Commission (2016/1250).
The Privacy Shield is not generally valid for all U.S. companies, but only for those companies that have a valid Privacy Shield certification.
Official Privacy Shield List of the U.S. Department of Commerce
Whether a U.S. company has a valid Privacy Shield certification can be verified through the official list of the U.S. Department of Commerce. Thus, the companies on this list respect the rights set forth in the Privacy Shield.
What must a U.S. company with Privacy Shield take into account?
The main aspect that the U.S. companies that wanted to take advantage of the Privacy Shield had to consider is that they make a voluntary commitment. This commitment refers to be aligned with certain data protection principles, granting rights to affected parties, and thus acting in a manner similar to a directive that applies to the area from which the data is transferred: EU.
What is the main reason behind the criticism of the Privacy Shield?
The critical point about the Privacy Shield is mainly the lack of binding force and the insufficient protection against state access by the USA to personal data of EU citizens. In the US, not only companies have access to the stored data, but also the authorities reserve the right to access them at any time. This aspect obliges companies to grant access to the data to intelligence services and authorities (e.g. NSA or FBI), which also affects European data. This is one of the critical aspects where the US authorities are not on the same page with regard to their national security needs and the ECJ with regard to the security of personal data. As a result, the ECJ has declared the Privacy Shield invalid, which means that without the EU-US Privacy Shield, no personal data can be transferred from the EU to the US for processing.
Which services and which companies are affected?
To understand the extent of the impact of the EU-US Privacy Shield, it may be useful to look at the services that are specifically affected by the lack of the Privacy Shield. Concrete services will be defined in the next few weeks, but to have a short overview of which services are concerned, the following list could be helpful:
• Social Media Plugins (e.g.: Facebook, Instagram, LinkedIn, Twitter, Pinterest…)
• Music/video platforms (e.g.: YouTube, Vimeo, SoundCloud, Spotify…)
• Tracking services (e.g.: Google Analytics, WordPress Stats…)
• Ad networks (e.g.: Google, Facebook…)
• Newsletter providers (e.g.: MailChimp)
• Others: Microsoft, Amazon, Dropbox…
The invalidity of the privacy shield has huge impact on data transfers between the EU and the US.
In order to avoid a standstill in global data transfers, the ECJ has confirmed the effectiveness of the standard contractual clauses, which means that transatlantic data transfers are now only legally secure. But only after the conclusion of a standard contract for the transfer of personal data.
It will probably take some time to get more clarity on the conclusions of this situation.
We are more than happy to answer any kind of questions regarding Affiliate Marketing!
Email address: firstname.lastname@example.org
Affiliate hotline: 0800 6224220