- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
October 17th, 2017
Privacy Shield: Year One Updates You Need To Know
This month we're celebrating Privacy Shield's first birthday (albeit, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. (For a primer on Privacy Shield, check out our previous post here.)
FTC Enforcement Has Arrived
On September 8, we got our first taste of Privacy Shield enforcement. The FTC announced enforcement actions against three companies for allegedly making false statements in their privacy policies that they participated in Privacy Shield when they had not actually registered as participants with the Department of Commerce (DoC). The FTC entered into consent orders with the companies, which prohibited the companies from misrepresenting their participation "in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework." Further, the consent orders required the companies to comply with report and notice, record keeping, and monitoring obligations, some of which extend 20 years.
Expect Continued and Amplified Enforcement by the FTC
The Court of Justice of the European Union (CJEU) invalidated the old Safe Harbor Framework, in part due to alleged lack of oversight and enforcement. When constructing Privacy Shield, EU and U.S. representatives worked to address this issue by adding a requirement that the U.S. government and participants must submit each year to a review by the European Commission of their compliance with the Privacy Shield Principles. The first annual review took place during the week of September 20, and concluded with a joint statement from the European Commission and U.S. Secretary of Commerce indicating continued support and commitment to Privacy Shield. On October 18, European regulators published a written report detailing the discussions and providing recommendations for improvement. The full report is available here.
While Privacy Shield survived its first annual review, the report demands stronger enforcement by the DoC, among other things. In order to prove its commitments under Privacy Shield, the DoC will need to look beyond companies that misrepresent their participation in Privacy Shield, and it is likely that future FTC enforcement actions will dig deeper into company practices. If you participate in Privacy Shield, you should routinely document your compliance with the Privacy Shield Principles, including the Principles of Choice and Accountability for Onward Transfer, and make sure to complete your annual compliance review requirement.
All Participants Must Pay a New Fee to Establish the Arbitral Fund
Privacy Shield requires the DoC to establish a fund to cover arbitrator costs for proceedings brought pursuant to the Privacy Shield arbitration requirement. In October, the DoC announced details about the arbitral fund, including that the fund will be managed by the Dispute Resolution-American Arbitration Association (ICDR-AAA) and all Privacy Shield participants must pay a fee to establish the fund. This arbitral fund fee is in addition to the required registration and renewal fees. Companies applying to participate in Privacy Shield must now pay the fee when they register with the DoC while companies already participating in Privacy Shield must pay the fee no later than December 1. If you participate in Privacy Shield, make sure to pay the fee before the deadline as failure to pay the fee could cause your participation status to lapse and potentially result in an FTC enforcement action. You can pay the fee here.
Standard Contractual Clauses under Scrutiny
As most Privacy Shield participants know, Privacy Shield is only one option for lawful data transfers from the EU to the U.S. Standard contractual clauses or "model clauses" are another important option, which became even more prevalent after the CJEU invalidated Safe Harbor. Following the invalidation of Safe Harbor by the CJEU in October 2015, the plaintiff from that matter, Max Schrems, brought a similar case with the Irish Data Protection Commission (DPC) against Facebook challenging the validity of standard contractual clauses. In May 2016, the DPC referred the case to the Irish High Court on grounds that while standard contractual clauses are likely invalid, the DPC does not have the authority to declare them so under EU law. Last month, on October 3, the Irish High Court also deferred, finding that standard contractual clauses pose "well founded concerns" and referring the case to the CJEU. We now find standard contractual clauses in a similar position to the circumstances that led to the invalidation of Safe Harbor in 2015.
Although standard contractual clauses are still valid and the CJEU is not expected to render a decision for a year or two, companies currently dependent on standard contractual clauses for the transfer of data from the EU to the U.S. should strongly consider applying for self-certification under Privacy Shield. While Privacy Shield does not address data transfers from the EU to countries other than the U.S., having an alternative mechanism in place to address EU-U.S. data transfers may help companies become less dependent on standard contractual clauses and be better prepared in the event the CJEU invalidates standard contractual clauses.
If you have questions about Privacy Shield, standard contractual clauses, or any other privacy matters, contact Greg Boyd at (212) 826 5581 or email@example.com, Daniel Goldberg at (310) 579 9616 or firstname.lastname@example.org, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023
CPRA Regs: 8 New Obligations You Need to Know
On February 14, the CPPA, California’s new privacy regulatory agency, filed the first part of its proposed final CPRA Regs with California’s Office of Administrative Law (OAL). Read more.
February 21 2023
Privacy Considerations for 2023
2023 is around the corner. As a refresher, on January 1, 2023, two new comprehensive privacy laws – the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) – take effect. Read more.
December 6 2022