Commercial cross-border data flows continue to grow in our internet-enabled economy. These data flows, often involving personal data, support innovative new business services and consumer products. At the same time, they raise questions of how to protect privacy across borders. Various mechanisms help both businesses and consumers with this challenge. One in which the FTC plays a key role is the EU-U.S. Privacy Shield.
Privacy Shield is a program with a set of Principles to which U.S. companies can self-certify. Those companies can then transfer data from the European Union to the United States in compliance with EU data protection requirements. The U.S. government and the European Commission negotiated the Privacy Shield Principles to enhance and replace the U.S.-EU Safe Harbor Framework. Privacy Shield also includes safeguards and limitations, addressed by other parts of the U.S. government, about national security and law enforcement data access. As of April 12, 2017, companies can also join a Swiss-U.S. Privacy Shield for transfers from Switzerland.
Here are answers to questions we’ve heard from businesses about Privacy Shield.
How does a company join?
To join Privacy Shield, a company must be subject to the jurisdiction of the FTC or Department of Transportation, and must certify to the Department of Commerce that it complies with the Privacy Shield Principles. The Department of Commerce administers the program and provides a step-by-step guide for U.S. businesses that wish to join. The Department’s Privacy Shield website also provides information for EU businesses, individuals and government agencies.
What companies are in Privacy Shield?
The Department of Commerce maintains a list of companies that have joined. Each entry includes a company’s covered subsidiaries, a description of the covered data, and dispute resolution information. Currently about 1,900 companies have joined the Privacy Shield program.
If the Department of Commerce administers the program, what is the FTC’s role?
The FTC enforces the promises companies make when joining Privacy Shield. When Privacy Shield launched in 2016, a letter setting out the FTC’s commitments was part of the Privacy Shield package. The FTC committed to give priority consideration to referrals from EU authorities and to address false claims of participation in the program. Acting Chairman Ohlhausen has recently confirmed that the FTC “will continue to enforce the Privacy Shield protections.”
What’s your advice for U.S. companies on complying with Privacy Shield?
- Participation is voluntary – but if you join, you must follow the rules. As a company, you can benefit from joining Privacy Shield. But joining means that the FTC can sue you for not living up to that commitment. Indeed, the FTC brought 39 cases for lack of compliance with Privacy Shield’s predecessor, Safe Harbor. The FTC will pursue enforcement if companies mislead consumers about their participation in Privacy Shield or other international privacy certification programs. Just last month, for example, the FTC announced three actions against companies falsely claiming participation in another international privacy program, the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system.