Frankfurt Kurnit Klein & Selz

October 17th, 2017

Privacy Shield: Year One Updates You Need To Know

This month we're celebrating Privacy Shield's first birthday (albeit, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. (For a primer on Privacy Shield, check out our previous post here.)

FTC Enforcement Has Arrived

On September 8, we got our first taste of Privacy Shield enforcement. The FTC announced enforcement actions against three companies for allegedly making false statements in their privacy policies that they participated in Privacy Shield when they had not actually registered as participants with the Department of Commerce (DoC). The FTC entered into consent orders with the companies, which prohibited the companies from misrepresenting their participation "in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework." Further, the consent orders required the companies to comply with report and notice, record keeping, and monitoring obligations, some of which extend 20 years.

These enforcement actions shed light on basic mistakes that can lead to FTC scrutiny. Each of the companies involved in these enforcement actions posted a privacy policy indicating it participated in Privacy Shield. Further, each of the companies started the Privacy Shield registration process with the DoC, but did not complete it. And it is not difficult to imagine the facts that led to such circumstances — because the Privacy Shield registration process requires companies to update their privacy policies prior to DoC review, it is possible these companies updated their privacy policies as part of the registration process, yet failed to complete their applications for one reason or another. The DoC then identified these companies as failing to complete their applications, cross-referenced the companies' privacy policies for representations about Privacy Shield, and referred to them as violators to the FTC.

So how do you avoid these mistakes? For starters, if you begin the Privacy Shield registration process with the DoC, make sure to complete the process, which may require responding to specific requests from the DoC. If you are already registered, do not forget to renew your self-certification on an annual basis — for many companies, the first annual renewal is already due. If you decide not to complete the process or renew your self-certification, remove any references to Privacy Shield from your privacy policy. As always, never copy and paste template language from another company's privacy policy as that could result in representations that do not accurately reflect your practices.

Expect Continued and Amplified Enforcement by the FTC

The Court of Justice of the European Union (CJEU) invalidated the old Safe Harbor Framework, in part due to alleged lack of oversight and enforcement. When constructing Privacy Shield, EU and U.S. representatives worked to address this issue by adding a requirement that the U.S. government and participants must submit each year to a review by the European Commission of their compliance with the Privacy Shield Principles. The first annual review took place during the week of September 20, and concluded with a joint statement from the European Commission and U.S. Secretary of Commerce indicating continued support and commitment to Privacy Shield. On October 18, European regulators published a written report detailing the discussions and providing recommendations for improvement. The full report is available here.

While Privacy Shield survived its first annual review, the report demands stronger enforcement by the DoC, among other things. In order to prove its commitments under Privacy Shield, the DoC will need to look beyond companies that misrepresent their participation in Privacy Shield, and it is likely that future FTC enforcement actions will dig deeper into company practices. If you participate in Privacy Shield, you should routinely document your compliance with the Privacy Shield Principles, including the Principles of Choice and Accountability for Onward Transfer, and make sure to complete your annual compliance review requirement.

All Participants Must Pay a New Fee to Establish the Arbitral Fund

Privacy Shield requires the DoC to establish a fund to cover arbitrator costs for proceedings brought pursuant to the Privacy Shield arbitration requirement. In October, the DoC announced details about the arbitral fund, including that the fund will be managed by the Dispute Resolution-American Arbitration Association (ICDR-AAA) and all Privacy Shield participants must pay a fee to establish the fund. This arbitral fund fee is in addition to the required registration and renewal fees. Companies applying to participate in Privacy Shield must now pay the fee when they register with the DoC while companies already participating in Privacy Shield must pay the fee no later than December 1. If you participate in Privacy Shield, make sure to pay the fee before the deadline as failure to pay the fee could cause your participation status to lapse and potentially result in an FTC enforcement action. You can pay the fee here.

Standard Contractual Clauses under Scrutiny

As most Privacy Shield participants know, Privacy Shield is only one option for lawful data transfers from the EU to the U.S. Standard contractual clauses or "model clauses" are another important option, which became even more prevalent after the CJEU invalidated Safe Harbor. Following the invalidation of Safe Harbor by the CJEU in October 2015, the plaintiff from that matter, Max Schrems, brought a similar case with the Irish Data Protection Commission (DPC) against Facebook challenging the validity of standard contractual clauses. In May 2016, the DPC referred the case to the Irish High Court on grounds that while standard contractual clauses are likely invalid, the DPC does not have the authority to declare them so under EU law. Last month, on October 3, the Irish High Court also deferred, finding that standard contractual clauses pose "well founded concerns" and referring the case to the CJEU.  We now find standard contractual clauses in a similar position to the circumstances that led to the invalidation of Safe Harbor in 2015.

Although standard contractual clauses are still valid and the CJEU is not expected to render a decision for a year or two, companies currently dependent on standard contractual clauses for the transfer of data from the EU to the U.S. should strongly consider applying for self-certification under Privacy Shield. While Privacy Shield does not address data transfers from the EU to countries other than the U.S., having an alternative mechanism in place to address EU-U.S. data transfers may help companies become less dependent on standard contractual clauses and be better prepared in the event the CJEU invalidates standard contractual clauses.

If you have questions about Privacy Shield, standard contractual clauses, or any other privacy matters, contact Greg Boyd at (212) 826 5581 or gboyd@fkks.com, Daniel Goldberg at (310) 579 9616 or dgoldberg@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.