The EU-US Privacy Shield, a framework that allows companies to transfer personal data from the EU to the US in compliance with the GDPR, has been under fire for not providing adequate protection to EU citizens. As Foley noted in 2017, the EU's Article 29 Working Party (now the European Data Protection Board) identified "a number of significant concerns" with the Privacy Shield in the Working Party's First Annual Joint Review, among them a lack of oversight by US authorities. More recently, on June 12, 2018, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) passed a resolution calling on the European Commission to suspend the Privacy Shield unless the US fully complies with its requirements by September 1, 2018, citing past privacy breaches by US-based companies.
What are US companies doing wrong?
The Privacy Shield was designed to provide companies on both side of the Atlantic with a mechanism to comply with strict EU data protection requirements when transferring personal data from the EU to the US. As it stands currently, a US-based company can join the Privacy Shield Framework by self-certifying to the Department of Commerce that it complies with the Framework's requirements. While joining the Privacy Shield Framework is voluntary, once a company makes a public commitment to comply with its requirements (in particular the commitments laid out in an entity's privacy policy), that commitment becomes enforceable under US law. For most companies (that is, those that do not fall under the jurisdiction of the Department of Transportation), failure to comply with those commitments is a violation of Section 5 of the FTC Act prohibiting unfair and deceptive acts.
Currently, the Privacy Shield requires participating US companies to (1) inform individuals that their data is being processed, (2) provide free and accessible dispute resolution; (3) maintain data integrity and limit collected personal information to information relevant for processing; (4) ensure accountability for data transferred to third parties; and (5) be transparent about any enforcement actions taken against it based on non-compliance. However, LIBE and other EU entities have questioned the US's commitment to compliance, pointing to recent data breaches such as the Facebook-Cambridge Analytic breach. Although Facebook admitted in April that as many as 87 million users' data had been improperly passed to third parties, it remains a part of the Privacy Shield Framework, as does SCL Elections, and affiliate of Cambridge Analytica.
LIBE wants US authorities to respond to privacy breaches like the Facebook-Cambridge Analytic breach immediately, and if necessary remove companies from the Privacy Shield Framework. In a press release accompanying LIBE's resolution, Civil Liberties Committee Chair Claude Moraes stated:
While progress has been made to improve on the Safe Harbor agreement [which was invalidated and replaced by the Privacy Shield], the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR.
What does this mean for US companies going forward?
The increased scrutiny on US compliance could lead to an uptick in FTC enforcement actions. In the past, the FTC has not been shy about bringing enforcement actions against companies for falsely claiming they were certified to participate in the Privacy Shield. Furthermore, the FTC has recently stressed its willingness to enforce US-based companies' voluntary adoption of the GDPR, the EU's new law on data protection that came into effect May 25. FTC spokeswoman Juliana Gruenwald Henderson told Bloomberg Law that "[i]f a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices," the FTC will require them to comply with those commitments.
The same holds true for the Privacy Shield. Statements about adherence to the Privacy Shield are representations to the consumer, and US companies will be taking a big risk if they self-certify without fully guaranteeing compliance. While the Facebook-Cambridge Analytica breach occurred before Facebook joined the Privacy Shield Framework, the company will need to think twice about compliance going forward.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
