The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, imposing a strict privacy regime to control how organizations can collect, use, and store the personal information of EU citizens. GDPR violations can bring stiff penalties, so organizations anywhere in the world must be mindful of its requirements.
In 2016, the EU-U.S. Privacy Shield framework was launched in response to a 2015 ruling by the Court of Justice of the European Union (CJEU). That ruling had invalidated Privacy Shield’s predecessor, the International Safe Harbor Privacy Principles, which had been used to govern data exchange between the United States and the EU (and Switzerland).
Although the Court of Justice subsequently invalidated the Privacy Shield framework in 2020, businesses must still comply with some Privacy Shield requirements. For organizations that operate globally, understanding the GDPR and Privacy Shield is critical to comply with privacy regulations as you do business in Europe and around the world.
There are, however, important differences between the two rules. Those differences are explored in this article.
What Is the GDPR?
The General Data Protection Regulation (GDPR) arose from increasing public concerns over privacy and how companies use consumer data in the Internet-driven information age. The GDPR includes provisions that require organizations to implement adequate safeguards to protect the data and privacy of citizens in the 27 EU member states.
The GDPR was also among the 69 EU legal acts incorporated into the EEA Agreement by the EEA Joint Committee in Brussels in July 2018, making it also binding for European Free Trade Association (EFTA) countries.
The law also defines the rights of EU residents and consumers regarding collecting and using their data. Those include the right to consent and the “right to be forgotten” — that is, the right to demand a company to erase one’s data.
Types of Data Protected by the GDPR
The word “data” under the GDPR encompasses a wide range of information, including:
- Personal identifiers, such as names, addresses, and national ID numbers
- Health and genetic data
- Racial and ethnic data
- Political opinions
- Web browsing cookies, IP addresses, and RFID tags
- Biometrics
Who Is Subject to GDPR Compliance?
The GDPR is not limited only to companies operating in the EU. GDPR compliance applies to any company in any country that collects or processes the personal data of EU citizens — even if that company does not have a business presence in the EU.
Companies must also comply with the GDPR if they have:
- A presence in any EU country
- More than 250 employees
- Fewer than 250 employees but are involved in data processing for certain types of sensitive data
So as a practical matter, the GDPR affects data and privacy protection requirements on a global scale.
Penalties for Non-Compliance
EU privacy regulators (formally known as “supervising authorities,” or SAs) can investigate reports of GDPR violations and impose penalties and fines on non-compliant firms. These fines may be up to 4 percent of the offending organization’s total global revenues or €20 million, whichever is greater. Those supervising authorities can also require companies to implement corrective actions such as:
- Performing audits to ensure compliance
- Implementing specified improvements by prescribed deadlines
- Erasing certain collections of data
Privacy regulators may also block non-compliant companies from transferring data to other countries.
The GDPR places equal liability on organizations that possess the data (“data controllers”) and on third-party organizations that help data owners to manage that data (“data processors”). If processors aren’t compliant, their customer organization (that is, the data controller) is also considered non-compliant. Regulators may then impose the above penalties on both firms.
What Was Privacy Shield?
The EU-U.S. Privacy Shield framework was designed to allow data transfer between U.S. and EU companies during transatlantic commerce while still in compliance with U.S. and EU privacy regulations. It was declared invalid by the European Court of Justice in 2020 in the case filed by Max Schrems, also referred to as the “Schrems II” case.
The Trans-Atlantic Data Privacy Framework, meant to replace it, was agreed upon by the Biden Administration and the European Commission in March 2022 and later renamed the EU-U.S. Data Privacy Framework.
The European Union concluded in July 2023 that this new framework ensures an adequate level of protection, allowing a secure flow of information back and forth between the United States and the European Union.
Differences Between the GDPR and Privacy Shield
Both the GDPR and Privacy Shield have a common objective: to protect user data and privacy while allowing organizations to conduct business with minimal disruptions. Despite these similarities, they differ in the following ways:
Applicability
The GDPR applies to all companies worldwide if they collect or store the data of EU data subjects, regardless if they are based in Europe. Privacy Shield only applies to U.S. companies doing the same.
Legality
The GDPR’s obligations are legally binding, so organizations cannot simply “opt out” of compliance. On the other hand, they can choose to comply with Privacy Shield by self-certifying their adherence to the U.S. Department of Commerce. The GDPR has no such voluntary self-certification process, and the steps for GDPR compliance are more rigorous.
Once Privacy Shield self-certification is complete, a company must comply with its requirements. Non-compliance penalties include removal from Privacy Shield, so the organization may no longer be allowed to receive personal data from the EU.
Enforcement
Enforcement of the GDPR is carried out by EU member states’ Data Protection Authorities (DPAs) and by EU courts, including the European Court of Justice; those regulatory enforcement actions and court judgments cannot be ignored.
The Privacy Shield framework is jointly controlled by the U.S. Federal Trade Commission (FTC) and the Department of Commerce, although enforcement responsibility lies with the FTC.
Legal Interpretation
The GDPR can only be interpreted through EU courts, not by government representatives. In contrast, Privacy Shield can be interpreted outside the judicial system. Privacy Shield is reviewed annually by government representatives from the EU and the United States, and either party has the right to invalidate the framework.
Interpretation of Human Resources Data
Human resources (HR) personal data is interpreted differently under the GDPR and Privacy Shield. Under the GDPR, HR data is any employee data in the context of the employee-employer relationship; under the Privacy Shield, the term only refers to the data of employees within the same organization.
For example, when employee data is transferred to a third party, Privacy Shield considers it commercial data rather than a transfer of personal data. GDPR considers employee data as personal data regardless of whether the data is transferred to another party. This difference in interpretation is a point of contention between the U.S. and EU review groups.
Penalties for Non-Compliance
Per the GDPR, regulators can reprimand, sanction, or impose fines on non-compliant companies. They may publicly name such companies and require them to conduct external audits. EU data protection authorities will also investigate data breaches that potentially resulted from GDPR non-compliance.
Privacy Shield non-compliance brings less attention and punishment. The Department of Commerce controls a list of U.S. organizations that have been removed from Privacy Shield. The Federal Trade Commission may impose penalties such as:
- Fines
- Injunctive awards
- Cease-and-desist orders
- Removal of all personal data received under the program
- Civil actions
Choosing Between GDPR and Data Privacy Framework
If your company processes the personal data of EU citizens, you must comply with the GDPR. The GDPR is a more extensive and strict law than the Privacy Shield, offering a greater level of protection.
If your company is based in the United States and does not process the personal data of EU residents, but expects to transfer or receive information from companies under the GDPR regime, you should comply with the new U.S.-EU Data Privacy Framework regulations. That will enable compliance with the GDPR‘s foreign transfer of personal data rules from your suppliers or customers in Europe.
Let ZenGRC Help with GDPR Compliance
Instead of using spreadsheets to manage your privacy compliance requirements, use ZenGRC’s governance, risk, and compliance platform to streamline evidence and audit management for all of your compliance frameworks.
Leverage its integrated and automated system of record to assure that your business systems and data are compliant and safe. ZenGRC gives you complete views of your control environments and provides easy access to insightful reporting and dashboards to help you evaluate your compliance program and address critical risks.
If you want to move from check-the-box compliance to compliance-driven security, let ZenGRC be your partner. Schedule a demo to learn about ZenGRC.