Cross-border personal data transfer is governed by various mechanisms, including the EU-U.S. Privacy Shield.
The Privacy Shield was negotiated following the U.S.-EU Safe Harbor Framework. It includes various safeguards pertaining to national security and law enforcement data access.
In order to transfer data from the European Union to the United States in compliance with EU data protection requirements, U.S. companies must be subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation, and certify that they are compliant with the underlying Privacy Shield Principles.
A list of companies that have joined the program and a description of the covered data are maintained by the Department of Commerce.
The role of the FTC is to enforce the representations made by those that join the program and Acting Chairman Maureen Ohlhausen has recently indicated that the agency will continue to enforce the Privacy Shield protections.
The FTC has provided guidance to U.S. companies on complying with the Privacy Shield.
First, while participation is voluntary, those that join must follow the rules or risk being the subject of a regulatory enforcement action. The FTC brought 39 cases for failing to comply with Safe Harbor. Misrepresentations to consumers regarding participation are also actionable. Take care not to permit the Privacy Shield certification to expire while you are claiming participation.
Second, data practices must be described accurately, including in privacy policies. Misrepresentations regarding the handling of consumer data are subject to the FTC Act. All Privacy Shield requirements must be covered. The Department of Commerce provides FAQs on privacy policies.
Lastly, the FTC cautions participants to ensure that compliance checks are built into your business. In fact, the Privacy Shield requires companies to re-evaluate their practices on a regular basis.
Consult with an FTC and state AG compliance and defense lawyer if you would like to learn more about the EU-US Privacy Shield Program.
Follow me on Twitter at FTC Law Defense.
HINCH NEWMAN LLP. ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result.
Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.