Privacy Shield Compliance: Necessary Reading For US Companies Doing Business In The EU

On December 3, 2019, the Federal Trade Commission (FTC) announced settlements with four companies related to allegations that they deceived consumers over participation in the EU-US Privacy Shield Framework. The companies include Click Labs, Inc., a website and mobile app services provider; Incentive Services, Inc., a developer of service award and incentive programs for employers; Global Data Vault, LLC, a provider of data storage and recovery services; and TDARX, Inc., an IT services provider. According to FTC’s allegations, at least two of these companies continued to claim participation in Privacy Shield after allowing their annual certifications to lapse, and failed to comply with the framework. 

That brings the total to 21 enforcement actions related to Privacy Shield since its establishment in 2016. Thus, there can be little doubt that Privacy Shield compliance represents an enforcement priority for the FTC.

But what is Privacy Shield

If you are a US company doing business in the EU, you should know.

By now, any US company doing business in the EU is certainly aware of the General Data Protection Regulation (GDPR) and the risk it presents to companies that fail to comply. Indeed, most such companies spent a lot of time and money in the early part of 2018 reworking their published Privacy Policies to comply with the GDPR. But many companies failed to fully understand the GDPR or actually bring their data practices into compliance. 

Are you one of them? Let’s put it this way: 

If you are a US company doing business in the EU and have not self-certified in Privacy Shield, there is a good chance that you may be transferring data from the European Economic Area (EEA) to the US in violation of the GDPR. Note that if a US company transfers EEA data to the US through a partner/processor—such as an analytics service that has its servers in the US—then the partner rather than the company is responsible for compliance; provided, however, that the company must enter a Data Processing Agreement with the partner whereby the partner confirms its compliance with GDPR requirements. In such cases, the company should confirm that its partner is Privacy Shield certified.

The GDPR prohibits the transfer of personal data outside of the EEA to a third-party country unless the recipient country provides an “adequate level of data protection,” the data exporter puts appropriate safeguards in place, or an exemption or derogation exists to justify the transfer. 

From the EU’s perspective, the US does not have an adequate level of data protection. Moreover, while an exemption or derogation may justify some transfers of personal data, it does not offer the broad protection of self-certification under Privacy Shield. 

Consent is the strongest category of exemption. But it requires a clear disclosure to the data subject of what you plan to do with the data, including all associated risks, and his/her explicit consent to the transfer of the data outside the EEA. Most of the other exemptions and derogations apply to government entities and public authorities, or require particular approval by the relevant Data Protection Agency. 

Privacy Shield provides US companies with broader protection.

In order to self-register, a US company must confirm its eligibility to participate in Privacy Shield. That means that the company must be subject to the jurisdiction of the FTC or the Department of Transportation. That generally means that banks, federal credit unions, and savings and loan institutions are not eligible to participate in Privacy Shield.

Next, the company must develop a Privacy Policy Statement that complies with Privacy Shield requirements. That means notifying data subjects of your participation in Privacy Shield, the type of data being collected, the purposes for which the data is being used, any third parties with whom you will share the data, the data subject’s right to access the data and his/her choices and means to limit the use and disclosure of such data, and available recourse mechanisms. 

As part of this Privacy Policy, the company must also confirm its commitment to Privacy Shield Principles, including Choice (“clear, conspicuous, and readily available mechanisms” to opt out), Accountability (transferred data “may only be processed for limited and specified purposes consistent with” data subject’s consent), Security (adhering to best industry practices to secure data), Data Integrity (limit data collection to “relevant” data, and ensure it is “reliable for its intended use, accurate, complete and current”), Access (data subject must have access, including ability to correct, amend or delete, personal data), and Recourse, Enforcement and Liability (official complaint handling process and detailed mechanism for dispute resolution through a third-party such as the Better Business Bureau, American Arbitration Association or JAMS).

Once this Privacy Policy is published, you may submit your company’s self-certification to the Department of Commerce. The associated fee is $1,500 or less for companies with annual revenue up to $500 million. You must re-certify your Privacy Shield compliance with the Department of Commerce on an annual basis. And, of course, you face the risk of a potential enforcement action by the FTC, along with civil penalties, in the event you fail to comply with your obligations under Privacy Shield.

But for US companies doing business in the EU, GDPR compliance and Privacy Shield certification go hand in hand.

Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law and Digital Marketing.