On Dec. 19, 2018, the European Commission published the results of its annual review of the U.S.-EU Privacy Shield Framework. While the U.S.-EU Privacy Shield still meets the adequacy requirements of the General Data Protection Regulation (GDPR), the U.S. must take swift steps to make additional improvements to Privacy Shield, such as appointing a permanent ombudsperson.
GDPR adequacy requirement
Organizations both within and outside of the EU that process or otherwise handle the personal information of EU residents must comply with the GDPR, the most comprehensive and rigorous data privacy regulation to date. To comply, organizations must not only observe the new rights of data subjects, but also safeguard their personal data, particularly when transferring it to countries outside the EU.
According to the GDPR, transfers of personal data to another country may only take place if the European Commission has determined that the country “ensures an adequate level of protection” for that information. If not, the responsibility falls to the organization to take measures to prove acceptable safeguards are in place. The current legal standards in the U.S. do not meet the EU criteria for adequacy (in part due to the EU’s concerns about U.S. government surveillance practices), increasing the compliance effort for U.S. companies.