The EU-U.S. Privacy Shield & Email Marketing
Data Privacy Between the EU and the U.S. – a Never-Ending Story?
When the EU’s General Data Protection Regulation, GDPR, came into force in May 2018, it brought into focus the stark divide in how the U.S. and the EU handle data privacy. The U.S. and EU face an uncertain future when it comes to agreeing on how personal citizens’ data flows between them.
It’s looking like the existing agreement, the EU-U.S. Privacy Shield, might not be enough for the EU and too much for the U.S.
How personal information is transferred between the two political entities is not a new topic.
As U.S. Secretary of Commerce Penny Pritzker, who originally negotiated the Privacy Shield Pact in 2016, explains, the U.S. and the EU have fundamentally different ideas of what constitutes privacy when it comes to people’s information.
In the U.S., there are sectoral laws in place. These govern, for example, how personal information is handled in the health care and credit industries. Lawmakers in the EU, in contrast, consider privacy an inalienable right across all sectors.
This article does two things. It explores the current legal debate surrounding transatlantic data transfer and considers the ramifications for your email marketing.
A Quick History of EU-U.S. Data Protection Pacts
1️⃣ Safe Harbor Started It All
Before the EU-U.S. Privacy Shield Pact went into effect in 2016, Safe Harbor regulated the exchange of personal data between the U.S. and the EU. This data-sharing framework agreement entered into force in 2000.
It established what should happen to individuals’ personal information when it crossed transatlantic borders. Personal information means details such as birthdays, contact information, and ID numbers. Safe Harbor applied to U.S. companies like Facebook and Mailchimp.
Safe Harbor, however, was repealed in October 2015 by the European Court of Justice.
2️⃣ The EU-U.S. Data Privacy Shield
The EU-U.S. Privacy Shield, which was negotiated in 2016, was welcomed as having many improvements over Safe Harbor.
Even though it had its detractors, Privacy Shield was initially well regarded on both sides of the Atlantic when it came into force in August 2017.
Things became a little tricky, however, when ombudspersons had to be sent out for inspection, both in the EU and in the USA. And the appointment of an ombudsperson became a big point of contention between the U.S. and the EU.
🛡 Privacy Shield works through a self-certification process.
U.S. companies can apply for certification that will allow them to process personal data from the EU through the U.S. Department of Commerce. They must recertify annually.
Even though participation is voluntary, once a company commits to the Privacy Shield Principles, these principles will be enforced by the U.S. Federal Trade Commission or the U.S. Department of Transportation.
The U.S. Departments of Commerce maintains an up-to-date list of self-certified companies. As of November 2018, nearly 4,000 U.S. organizations take part in Privacy Shield. 🛡
3️⃣ The Current Debate on Both Sides of the Atlantic
Recently, politicians on both sides of the Atlantic have found cause for concern when it comes to transatlantic data transfer.
The U.S. administration expressed dissatisfaction in May with the stipulations of GDPR. When the regulation came into effect, U.S. Secretary of Commerce Wilbur Ross critiqued GDPR. He claimed it would be able to “significantly interrupt transatlantic co-operation and create unnecessary barriers to trade.“
On the other side of the pond, European politicians and activists have found many points to critique. Since Trump took office in January 2017, he failed to appoint an ombudsman to deal with EU citizens’ complaints – a necessity stipulated by Privacy Shield.
What’s more, Facebook and Cambridge Analytica were self-certified under Privacy Shield. Both companies were involved in one of the biggest data privacy scandals of the year. Many Europeans find this scandal a reason to review Privacy Shield’s self-certification process.Facebook and Cambridge Analytica were both self-certified under #PrivacyShield. #DataProtection Click To Tweet
Furthermore, many activists and politicians, including Max Schrems, famous for taking down Safe Harbor in court, have called Privacy Shield inadequate. For one, it offers no mechanisms to protect Europeans’ data from the long digital arm of U.S. intelligence agencies.
One particularly strong denouncer of Privacy Shield has been the Civil Liberties Committee (LIBE) of the European Parliament.
In June 2018, the committee sent a formal recommendation that the European Commission suspend Privacy Shield “until the U.S. authorities comply with its terms in full.” The Committee called for the US to appoint an ombudsperson by 1 September 2018. As it stands, they argued, the framework fails to protect EU residents adequately.
In turn, the EU commissioner for justice, Věra Jourová wrote a letter to the U.S. secretary of commerce indicating that if the Trump administration did not comply with the requirements of Privacy Shield by 1 Sept and appoint an ombudsperson, she would suspend the pact.
In response to the increasing pressure, the Trump administration named Manisha Singh the Privacy Shield Ombudsperson on 28 September 2018. And Commissioner Jourová’s threats to leave the pact have not been realized.Manisha Singh was named the Privacy Shield Ombudsperson on 28 September 2018. And Commissioner Jourová's threats to leave the pact have not been realized. #TransatlanticDataProtection #DataPrivacy Click To Tweet
The situation, however, remains tense on both sides. The European Commission recently met for its second yearly review of the Privacy Shield framework. They will publish their report at the end of November.
What Does This Mean for Email Marketing?
If you are a European company working with U.S. email marketing software, it’s a good time to reconsider your provider. Ditto if you’re an American company who uses email marketing and has European customers.
Even though many U.S. companies have self-certified under Privacy Shield, this does not equate to GDPR readiness. Nor does it protect European residents from U.S. intelligence agencies, which is a big concern. As multiple international cybersecurity experts have pointed out, “The Privacy Shield Won’t Make You GDPR-Compliant.“Privacy Shield self-certification does not equate to GDPR compliance. #TransatlanticDataProtection Click To Tweet
Just last month Reuters reported that the first round of large-scale legal action from GDPR should be forthcoming by the end of 2018.
While all sides hope that the EU and the U.S. can continue Privacy Shield, there is much suspicion on both sides. If European data protection supervisors choose to leverage GDPR to make an example of U.S.-based companies, such as Facebook and Google, negative sentiments on both sides will escalate.
Play It Safe: Email Marketing According to EU Law
I bet you know what comes next in this article, right? The choice is obvious.
Choose a European email marketing provider and you won’t have to worry about being in violation of GDPR. With servers located in Germany, a strictly enforced anti-spam policy and our software’s GDPR compliance, Newsletter2Go puts you on the safe side of email marketing.
But it’s not enough just to use our software. Here’s what you should do to make sure you are 100% GDPR compliant:
- All contacts must agree to receive promotional email from you. You can obtain this consent via a double opt-in sign-up process.
- Always state what personal information you are collecting from contacts and exactly how you are using this.
- If there are third parties, such as Newsletter2Go, processing your contacts’ personal information, make sure you sign a data processing agreement with these companies.
- Your data protection policy (data privacy statement) should always be available. It’s best if it’s linked in the registration form.
- Let your newsletter subscribers know they can unsubscribe at any point. Make sure to include an unsubscribe link in every mailing.
- For full transparency, include a legal notice or site notice in your footer. Under EU law, this should include registered company information.
👉 If you’re interested in learning more about GDPR, download our white paper on the topic.
In Sum …
The topic remains a tense one.
Activists and politicians on both sides of the pond are eagerly awaiting the next ruling on the EU-U.S. Privacy Shield. We’ll keep you up-to-date on any new developments that arise.