- November 1, 2019
- Posted by: r0m3@dm1
- Category: Articles
On December 3, 2019, the Federal Trade Commission (FTC) announced settlements with four companies related to allegations that they deceived consumers over participation in the EU-US Privacy Shield Framework. The companies include Click Labs, Inc., a website and mobile app services provider; Incentive Services, Inc., a developer of service award and incentive programs for employers; Global Data Vault, LLC, a provider of data storage and recovery services; and TDARX, Inc., an IT services provider. According to FTC’s allegations, at least two of these companies continued to claim participation in Privacy Shield after allowing their annual certifications to lapse, and failed to comply with the framework.
That brings the total to 21 enforcement actions related to Privacy Shield since its establishment in 2016. Thus, there can be little doubt that Privacy Shield compliance represents an enforcement priority for the FTC.
But what is Privacy Shield?
If you are a US company doing business in the EU, you should know.
By now, any US company doing business in the EU is certainly aware of the General Data Protection Regulation (GDPR) and the risk it presents to companies that fail to comply. Indeed, most such companies spent a lot of time and money in the early part of 2018 reworking their published Privacy Policies to comply with the GDPR. But many companies failed to fully understand the GDPR or actually bring their data practices into compliance.
Are you one of them? Let’s put it this way:
If you are a US company doing business in the EU and have not self-certified in Privacy Shield, there is a good chance that you may be transferring data from the European Economic Area (EEA) to the US in violation of the GDPR. Note that if a US company transfers EEA data to the US through a partner/processor—such as an analytics service that has its servers in the US—then the partner rather than the company is responsible for compliance; provided, however, that the company must enter a Data Processing Agreement with the partner whereby the partner confirms its compliance with GDPR requirements. In such cases, the company should confirm that its partner is Privacy Shield certified.
The GDPR prohibits the transfer of personal data outside of the EEA to a third-party country unless the recipient country provides an “adequate level of data protection,” the data exporter puts appropriate safeguards in place, or an exemption or derogation exists to justify the transfer.
From the EU’s perspective, the US does not have an adequate level of data protection. Moreover, while an exemption or derogation may justify some transfers of personal data, it does not offer the broad protection of self-certification under Privacy Shield.
Consent is the strongest category of exemption. But it requires a clear disclosure to the data subject of what you plan to do with the data, including all associated risks, and his/her explicit consent to the transfer of the data outside the EEA. Most of the other exemptions and derogations apply to government entities and public authorities, or require particular approval by the relevant Data Protection Agency.
Privacy Shield provides US companies with broader protection.
In order to self-register, a US company must confirm its eligibility to participate in Privacy Shield. That means that the company must be subject to the jurisdiction of the FTC or the Department of Transportation. That generally means that banks, federal credit unions, and savings and loan institutions are not eligible to participate in Privacy Shield.
But for US companies doing business in the EU, GDPR compliance and Privacy Shield certification go hand in hand.
Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law and Digital Marketing.