Protecting Privacy in Transatlantic Data Flows: The EU–U.S. Privacy Shield

Share This Page

Commercial cross-border data flows continue to grow in our internet-enabled economy. These data flows, often involving personal data, support innovative new business services and consumer products. At the same time, they raise questions of how to protect privacy across borders. Various mechanisms help both businesses and consumers with this challenge. One in which the FTC plays a key role is the EU-U.S. Privacy Shield.

Privacy Shield is a program with a set of Principles to which U.S. companies can self-certify. Those companies can then transfer data from the European Union to the United States in compliance with EU data protection requirements. The U.S. government and the European Commission negotiated the Privacy Shield Principles to enhance and replace the U.S.-EU Safe Harbor Framework. Privacy Shield also includes safeguards and limitations, addressed by other parts of the U.S. government, about national security and law enforcement data access. As of April 12, 2017, companies can also join a Swiss-U.S. Privacy Shield for transfers from Switzerland.

Here are answers to questions we’ve heard from businesses about Privacy Shield.

How does a company join?

To join Privacy Shield, a company must be subject to the jurisdiction of the FTC or Department of Transportation, and must certify to the Department of Commerce that it complies with the Privacy Shield Principles. The Department of Commerce administers the program and provides a step-by-step guide for U.S. businesses that wish to join. The Department’s Privacy Shield website also provides information for EU businesses, individuals and government agencies.

What companies are in Privacy Shield?

The Department of Commerce maintains a list of companies that have joined. Each entry includes a company’s covered subsidiaries, a description of the covered data, and dispute resolution information. Currently about 1,900 companies have joined the Privacy Shield program.

If the Department of Commerce administers the program, what is the FTC’s role?

The FTC enforces the promises companies make when joining Privacy Shield. When Privacy Shield launched in 2016, a letter setting out the FTC’s commitments was part of the Privacy Shield package. The FTC committed to give priority consideration to referrals from EU authorities and to address false claims of participation in the program. Acting Chairman Ohlhausen has recently confirmed that the FTC “will continue to enforce the Privacy Shield protections.”

What’s your advice for U.S. companies on complying with Privacy Shield?

  1. Participation is voluntary – but if you join, you must follow the rules. As a company, you can benefit from joining Privacy Shield. But joining means that the FTC can sue you for not living up to that commitment. Indeed, the FTC brought 39 cases for lack of compliance with Privacy Shield’s predecessor, Safe Harbor. The FTC will pursue enforcement if companies mislead consumers about their participation in Privacy Shield or other international privacy certification programs. Just last month, for example, the FTC announced three actions against companies falsely claiming participation in another international privacy program, the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system.   
  1. Describe your data practices accurately, both in your privacy policy and elsewhere.  Express and implied statements about how you handle consumer data are claims subject to the FTC Act.  In particular, be careful adapting a template or industry sample to create your company’s privacy policy. You need to make sure all the Privacy Shield requirements are covered and that each section accurately reflects your company’s individual practices. One policy does not fit all. The Department of Commerce has some FAQs on privacy policies to help you develop your own. Reread your privacy policy and check the certification logos or marks on your site. You’re making promises you need to keep.
  1. Build compliance checks into your business. Technology changes fast, and company practices can change even faster. So data compliance isn’t just a one-and-done box to check. That’s why self-regulatory systems like Privacy Shield require companies to re-evaluate their practices regularly. Periodically take a fresh look at your privacy policy and set calendar reminders to check on your certifications. Don’t let your annual Privacy Shield certification expire while still claiming participation. The FTC has sued companies that failed to maintain their annual certification, but still claimed to participate. And if your company participated in Safe Harbor, review your privacy policy to make sure there aren’t outdated references to participation in that program.

To learn more, see the FTC’s Privacy Shield page and the Department of Commerce’s page at www.privacyshield.gov.
 

Comments

Last week 76% of the members of the European Parliament voted to ask the European commission to review the Privacy Shield. Their objections were as follows:
1. Access to EU citizen’ data by US authorities
2. the possibility of collecting bulk data
3. The US Ombudsperson
4. The cost and complexity of the redress mechanism
Since it is unlikely that the US Congress will get rid of Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S. Code § 1881a) and given the fact that it has just done away with the FCC's few attempts at privacy protection, it is doubtful that the Privacy Shield will last much past fall. The GDPR goes into effect in about a year. It will take small companies 4 months to comply and large companies 18 months. Large companies should start to consider other methods like the CASBs or geo segregation
.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.