There is a long history of directives which have been working towards the goal of establishing a binding form of oversight to provide data protection in the USA to govern data exchanges with the EU and Switzerland.
The latest, the Privacy Shield framework, was released in February 2016, replacing the earlier but inadequately conceived and enforced Safe Harbor. While well-intended, over time it had been deemed that Safe Harbor lacked the necessary transparency to provide sufficient data protection for USA and EU data transfers.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
5 Principles of Data Protection in USA – EU
There are Six Principles of the Privacy Shield Framework:
- Accountability for Onward Transfer
- Recourse, Enforcement, and Liability
Privacy Shield and GDPR
Under the GDPR, Article 46 states that, in the absence of an adequacy decision by the EU Commission, a controller or processor may transfer personal data to a third country outside the European Union only if the controller or processor has provided appropriate safeguards for the data. It is that latter part of the requirement where Privacy Shield comes into play as the goal is to provide the mechanism for the appropriate safeguards. This is important as the penalties for not adhering to privacy compliance is significant under the GDPR, with fines up to 4% of global annual revenue at stake. Fines are increasing and the Data Protection Authorities in countries such as Germany are gaining confidence and becoming more stringent in their audits of organizations, especially multi-nationals who do not respect the privacy of European Union residents.
Data Protection Comparison Germany & USA
Taking a global perspective, a comparison of data protection between Germany and USA means that companies need to take due care in approaching how they transfer personal data between their entities if they are operating in USA and other countries. USA based companies should have an understanding of the German mentality to data protection and data privacy is fundamental to doing business in the country. The EU has the most strict requirements for data protection and data privacy in the world. And even within the European Union, Germany has the most rigorous standards around data protection. Topics related to privacy, data protection and security are always in the spotlight. Today, the US consumers are now becoming more aware of their own data privacy and this has led to a slew of new laws arising in the US, that are similar to the GDPR. In that, the mindset for data protection comparison between Germany and the USA becomes more and more similar. But always keep in mind studies such as by Harvard Business Review, which have shown that German consumers place the highest priority in their data privacy than any others in the world.
In conclusion, businesses which have a need to exchange data between the US and EU, and in particular with Germany, should pay close attention to the Privacy Shield Framework and the GDPR.