With Your Shield Or On It - The FTC Steps Up Privacy Shield Enforcement

Poyner Spruill LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Poyner Spruill LLP

Three years ago, the European Court of Justice killed the US-EU Safe Harbor Program. In the wake of the decision, American and EU negotiators developed the “Privacy Shield” program to facilitate cross-Atlantic data transfers. The Department of Commerce and the Federal Trade Commission (FTC) were designated to regulate the American side of the program.

American regulators came under fire last summer, when the EU Parliament complained that they had not been aggressive enough in their oversight. EU Justice Commissioner Věra Jourová raised similar concerns with Secretary of Commerce Wilbur Ross. Perhaps in response, the FTC has brought a number of actions against companies for Privacy Shield violations.

The Privacy Shield program relies on a self-certification process. Privacy Shield compliant-companies commit to stringent privacy safeguards. The safeguards include restrictions on further transmission of data, cooperating with an Ombudsman, data security standards, notice, and consumer choice.

The FTC alleged that the offending companies had not met these requirements. Some did not complete the certification procedure. Others simply let their certifications lapse. Yet all continued to hold themselves out as Privacy Shield compliant. The FTC viewed this inaccuracy as a “deceptive” action that violates the FTC Act. 

Consequently, the FTC proposes to penalize these violations with various sanctions: companies will be barred from misrepresenting their participation or compliance with the Privacy Shield program. They must agree to adhere to FTC reporting requirements. They must agree to delete improperly collected data. Full Privacy Shield protections will apply to remaining data. The FTC may also require monitoring or additional safeguards.

These sanctions, together with any monitoring requirements, mean that the FTC has now acted against eight companies for Privacy Shield violations. It promises to “continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.” Whether this suffices to meet EU standards is undetermined. For now, companies needing to vet their Privacy Shield compliance program, or cross-border data mechanism, should consult with counsel.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide