Privacy Shield does not guarantee GDPR compliance

US firms certified under the regime must still ensure their data protection and processing meets the requirements of the EU regulation, warn lawyers.

US fund managers may fall foul of new European data protection rules even if they have signed up to the US-Europe Privacy Shield, lawyers have warned.

While the Privacy Shield imposes stricter data protection rules on certified firms, which allows them to transfer information from Europe to the US, it also permits US businesses to carry out “massive and indiscriminate” bulk surveillance of EU citizens, something that is prohibited under the General Data Protection Regulation.

“The Privacy Shield is a great step forward, but there are several areas in which it is unacceptable and contravenes the GDPR,” said law firm Foley and Gardner in a client note.

Firms certified under the Privacy Shield are advised to ensure they meet the GDPR’s requirement to collect and keep only the minimum information relating to individuals, and that they have adequate procedures in place to protect that data. This may include reviewing the data they hold, rewording their privacy policies, and/or renegotiating contracts with third-party suppliers that process the information they hold.

“Companies should be aware that GDPR shifts the issue of privacy and personal data protection even further from an information technology issue to a Board of Directors and C-suite issue. GDPR will have a tremendous impact on the day-to-day operations, costs, and potential liabilities of the company that demands board-level attention,” Foley and Gardner said in a client note.

The law firm added that under the Sarbanes-Oxley Act in the US, public companies may need to disclose GDPR’s increased operational costs and potential for high liabilities to their investors.

The GDPR will be enforced on 25 May 2018. In the event of non-compliance, a firm can be fined up to €20 million, or 4 percent of its global revenue, whichever is higher.