Tag Archives: privacy shield

FTC Brings the Enforcement Hammer for EU-US Privacy Shield Misrepresentations

For the first time, the Federal Trade Commission is holding companies accountable in three enforcement actions for misleading consumers about their Privacy Shield participation.

EU-U.S. Privacy Shield

The Privacy Shield framework allows companies to transfer consumer data across the pond from EU member states to the U.S. while complying with EU data protection laws. The Privacy Shield was birthed to replace the U.S.-EU Safe Harbor framework which was deemed invalid in 2015.

To participate in the framework, companies must certify with the U.S. Department of Commerce and demonstrate compliance with the Privacy Shield Principles. The Department of Commerce maintains the list of active members, while the FTC enforces compliance.

During Safe Harbor’s tenure as the preferred data transfer mechanism between the EU and U.S., the FTC brought 39 enforcement actions against companies for reasons of noncompliance. Now we see the first three enforcement actions under the newer Privacy Shield framework.

Privacy Shield Enforcement

The FTC announced that three companies violated the FTC Act by making false claims regarding their Privacy Shield certification to consumers. The companies never actually completed the certification process.

  • HR software company Decusoft LLC falsely stated in its privacy policy that it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.”
  • Printing services company Tru Communication (aka TCPrinting.net) falsely stated in its privacy policy that it “will remain compliant and current with Privacy Shield at all times.”
  • Real estate management company Md7 LLC falsely stated in its privacy policy that it “complies with the EU-U.S. Privacy Shield Framework.”

Acting FTC Chairman Maureen K. Ohlhausen notes, “Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce. Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

In conjunction with the settlements, the FTC prohibits the three companies from misrepresenting their participation in any privacy or data security program sponsored by a government or regulatory agency.

Key Takeaways

What can other companies learn from the mistakes in these cases?

The FTC is committed to enforcing misrepresentations about Privacy Shield participation. Given the prior settlements under the Safe Harbor framework, the FTC remains consistent in their efforts to hold companies accountable.

The FTC advises, “If you apply to participate in Privacy Shield, follow through. If you apply but then decide not to participate, don’t tout your compliance in your privacy policy or elsewhere on your website. Furthermore, if the Department of Commerce contacts your company about a deficient or incomplete application, it’s wise to heed the warning by completing the self-certification process in a timely manner or by removing any false statement regarding participation in the Privacy Shield Framework.”

Swiss-US Privacy Shield Announced

The Swiss government announced a new framework for transferring personal information across borders from Switzerland to the US – the Swiss-US Privacy Shield. The Swiss version of the Privacy Shield is strikingly similar to the EU version that became effective last summer.

The Swiss-US Privacy Shield replaces the outdated Safe Harbor. Notable aspects of the new data transfer framework include:

  • Stricter application of data protection principles
  • More cooperation between the Department of Commerce and the Federal Data Protection and Information Commissioner
  • An arbitration body to address unresolved claims

Companies in the US can certify under the Swiss-US Privacy Shield to legally transfer data from Switzerland to the US. The Department of Commerce accept applications for certification starting April 12, 2017.

EU-U.S. Privacy Shield: How to Certify

The U.S. Department of Commerce announced the new website dedicated to the EU-U.S. Privacy Shield. The Privacy Shield website allows organizations to certify and provides additional information about the Privacy Shield.

The Department of Commerce is now accepting certifications through the website. If your organization was relying on Safe Harbor to transfer data from the EU back to the U.S., certifying for the Privacy Shield will allow you to continue those data transfers.

EU Gives Privacy Shield the Green Light

In the midst of criticism from several EU agencies, the Privacy Shield got the thumbs up. The Article 31 Committee approved the final version of the EU-U.S. Privacy Shield. This new framework for transferring data from the EU to the U.S. will serve as the replacement to the Safe Harbor.

As reported last year, the Safe Harbor framework was deemed invalid last year, leaving many companies without a legal way to transfer data from the EU to the U.S.

Privacy Shield Overview

The European Commission released the following guiding principles for the Privacy Shield:

  • Obligations on Companies: Regular updates and reviews will be conducted on companies to ensure they are following the rules. Noncompliance will bring risk of penalties and removal from the program.
  • U.S. Government Access: The U.S. has given the EU assurance that government access is subject to clear limitations. The EU also gets redress mechanisms in this area for noncompliance.
  • Individual Rights: Individuals have several ways to get their complaints recognized – by the company directly, free alternative dispute resolution solutions, national Data Protection Authorities, or a last resort arbitration mechanism.
  • Annual Review: The European Commission and U.S. Department of Commerce will review and report on the agreement annually.

A statement released regarding the Privacy Shield framework mentioned it “will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old Safe Harbor: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”

Key Takeaway

This is good news for businesses with operations in the EU. Getting approval from the EU Member States moves the Privacy Shield over a big hurdle and closer to the finish line. It’s expected that companies will be able to start certifying with the Department of Commerce August 1, 2016.

EU & U.S. Reach New Safe Harbor Agreement

Amidst a January 31 deadline to reach a new data transfer agreement to replace the old Safe Harbor, the U.S. and EU came to terms on a new deal February 2. According to the European Commission, the new agreement is called the EU-U.S. Privacy Shield.

European Commissioner for Justice, Consumers, and Gender Equality Věra Jourová stated, “The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies.”

The key provisions of the agreement include:

  • Protection of EU citizens’ rights with several redress possibilities,
  • Assurance from the U.S. government that it won’t conduct surveillance of Europeans,
  • A new position in the Department of State to supervise surveillance concerns, and
  • An annual review to monitor the agreement.

Companies that agree to the EU-U.S. Privacy Shield for transferring data will commit to certain obligations on how that data is collected and processed. Those commitments will be published, monitored by the Department of Commerce, and enforced by the Federal Trade Commission.

The U.S. will now have to make the necessary preparations in order to implement the new privacy framework. There is also no indication that the 4,000 previously Safe Harbor certified companies will have a head start with the Privacy Shield.

The new agreement shows an effort on both sides of the Atlantic to ensure that reasonable trans-border data flow can continue. There should be more reactions and takeaways when the details of the agreement are released and shared with the data protection authorities in Europe.