Nov 21, 2016

The EU-US Privacy Shield Framework vs. European data protection laws - an FYI for marketers

There’s a lot of misinformation being spread about the need for companies like adjust to be self-certified under US Privacy Shield, as far as to say that without this certification you could be breaking the law.

With that in mind, we thought it was a good idea to stop the misinformation in its tracks and actually break down what the Privacy Shield does, what the Privacy shield means for adjust, and how adjust is actually protecting your data now.

What is the EU-US Privacy Shield Framework?

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with the mechanisms to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. In general, this means that if a European Company is transferring personal data to the US, they need to make sure that these companies are self-certified under the Privacy Shield.

The EU-US Privacy Shield Framework and adjust

adjust GmbH is a German based company and the parent company of adjust Inc., this means we must fully comply with all German and European Data Protection laws. Our US-entity, adjust Inc., only has a software license from adjust GmbH, but does not own or operate their own server and is therefore not transferring data from the US to Europe or from Europe to the US. adjust’s servers are all located in Germany, and therefore in an EU member state.

Furthermore, we as adjust GmbH fully comply with all European data protection laws. We earned the ePrivacy Seal, which is a globally accepted data security certification based on European data protection law. By earning this seal, we have demonstrated total compliance with ePrivacy’s criteria catalog, including:

  • Anonymization of sensitive data
  • Transparency in the collection and compilation of services
  • Transparency of data’s role in the adjust product and services
  • Technical adherence to European data protection laws
  • Legal adherence to European data protection laws

But what about data transfers from EU to the US?

We actually don’t transfer any personal data from Europe to the US, and only ever transfer hashed data, which by definition is not identifiable for anyone without putting in a significant amount of effort. This is one of the reasons why adjust is able to be e-Privacy certified.

Although the Privacy Shield is certainly an option for companies wanting to protect themselves, adjust is already completely protected and compliant by ePrivacy and is audited yearly to maintain the seal.

The future of the Privacy Shield

The Privacy Shield is actually under pretty strong criticism, as every US authority has total access to transferred personal data and can save it without any reason, not to mention that US data protection laws are nowhere near as strict as the European ones.

Further to that, the Irish Data Protection Working group has already filed a lawsuit against the European Commission against the Privacy Shield at the European Court of Justice.

So it’s actually much better to be compatible with European data legislation (with adjust, this is proved by our ePrivacy seal), than being self-certified with the Privacy Shield which doesn’t include rigorous yearly audits to ensure actual compliance with the law.

What’s the difference between ePrivacy and the EU-US Privacy Shield?

  1. The Privacy Shield will likely be challenged again before a court; the ePrivacy seal has never been challenged before an authority or court.
  2. Obtaining the Privacy Shield happens via self-assessment; The ePrivacy seal works with accredited auditors, who need to verify their expertise and knowledge.
  3. The Privacy Shield only looks to see whether EU PII data is safely stored in the US and doesn’t look further; the ePrivacy seal covers all data protection topics through a detailed evaluation process to ensure compliance with very strict EU/DE data protection laws for technologies and related products
  4. The Privacy Shield only looks at the storage of EU data in the US and not more; ePrivacy seal includes the same evaluation criteria of Privacy shield and goes even further.
  5. Privacy Shield is not needed for any company which just stores all PII in EU; the ePrivacy seal is a positive evaluation for every company who wants to be compliant with strict EU privacy laws

And, as a result:

  1. Companies who don’t store PII outside EU/DE don’t actually need the Privacy Shield.
  2. Companies who’ve been self-certified under the Privacy Shield don’t necessarily fulfill the strict EU/DE privacy laws, they could actually only prove this via a separate data protection seal, like the ePrivacy seal.

Further questions?

As always, if you have any questions or feedback, just reach out to our team at any time.