By Saad Gul
Three years ago, the European Court of Justice killed in the U.S.-E.U. Safe Harbor Program. In the wake of the decision, American and EU negotiators developed the “Privacy Shield” program to facilitate cross-Atlantic data transfers. The Department of Commerce and the Federal Trade Commission (FTC) were designated to regulate the American side of the pogram.
American regulators came under fire last summer, when the EU Parliament complained that they had not been aggressive enough in their oversight. EU Justice Commissioner Věra Jourová raised similar concerns with Secretary of Commerce Wilbur Ross. Perhaps in response, the FTC has brought a number actions against companies for Privacy Shield violations.
The Privacy Shield program relies on a self-certification process. Privacy Shield compliant-companies commit to stringent privacy safeguards. The safeguards include restrictions on further transmission of data, cooperating with an Ombudsman, data security standards, notice, and consumer choice.
The FTC alleged that the offending companies had not met these requirements. Some did not complete the certification procedure. Others simply let their certifications lapse. Yet all continued to hold themselves out as Privacy Should compliant. The FTC viewed this incorrect as a “deceptive” action that violates the FTC Act.
Consequently, the FTC proposes to penalize these violations with various sanctions: companies will be barred from misrepresenting their participation or compliance with the Privacy Shield program. They must agree to adhere to FTC reporting requirements. They must agree to delete improperly collected data. Full Privacy Shield protections will apply to remaining data. The FTC may also require monitoring or additional safeguards.
These sanctions, together with any monitoring requirements, mean that the FTC has now acted against eight companies for Privacy Shield violations. It promises to “continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.” Whether this suffices to meet EU standards is undetermined. For now, companies needing to vet their Privacy Shield compliance program, or cross-border data mechanism, should consult with counsel.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.