Return to search

US firms may be exposed to GDPR compliance issues

The US-EU Privacy Shield does not impose adequate rules around the use of data by US firms, meaning some could flout their GDPR compliance.

US firms covered by the US-EU Privacy Shield may still fall foul of new European data protection rules that come into force next year, lawyers have warned.

One of the specific requirements of the General Data Protection Regulation is that transfer of data relating to EU citizens happens only to countries deemed to have adequate data protection laws. In general, this does not include the US.

Previously, US firms were able to get around data transfer issues with the Safe Harbor system, which was recently replaced by the Privacy Shield. But opinion is divided as to whether being registered under the Privacy Shield is enough to ensure compliance with GDPR.

“Privacy Shield is designed to create a program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information. In short, the Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR,” according to the Privacy Trust website.

Lawyers have questioned whether it will in fact be adequate once GDPR kicks in, because it allows “massive and indiscriminate” bulk surveillance of EU citizens.

“Companies should be aware that GDPR shifts the issue of privacy and personal data protection even further from an information technology issue to a Board of Directors and C-suite issue. GDPR will have a tremendous impact on the day-to-day operations, costs and potential liabilities of the company that demands board level attention.

Furthermore, under Sarbanes-Oxley [Act] in the United States, public companies may need to disclose GDPR’s increased operational costs and potential for high liabilities to their investors,” law firm Foley and Gardner said in a client note.

US firms are advised to seek advice from experts as to whether the measures they have in place are adequate under the GDPR.