The Federal Trade Commission took more enforcement actions related to the EU-U.S. Privacy Shield Framework in 2019 and the beginning of 2020 than it did in the prior three years combined. The FTC also has alleged deception in many cases where there was no indication that any misrepresentations injured consumers.
Companies that do business with customers residing in the EU face an increasingly aggressive enforcement environment.
EU-U.S. Privacy Shield
The privacy shield is a framework that allows companies to import personal information from the European Union to the United States by certifying to the U.S. Commerce Department compliance with EU privacy requirements (the General Data Protection Regulation).
The validity of the shield has recently been challenged in a case before the EU Court of Justice. In the case, Data Protection Commissioner of Ireland v. Facebook Ireland, an Austrian consumer claims that U.S. privacy protection is inadequate. In advance of a decision, the court’s advocate general issued a non-binding advisory opinion that recommended leaving the framework in place, but noted that EU regulators may suspend data flows to a country whose laws do not allow GDPR compliance.
FTC Enforcement Increases
The FTC, the U.S. agency with enforcement authority over the privacy shield, has recently increased enforcement against U.S. companies for alleged violations of the framework. Many of the companies targeted by the FTC stated in their privacy policies that they participated in the privacy shield while, in fact, their certification had lapsed.
However, even companies that did not make any statements about their participation in the privacy shield, but merely claimed that they adhere to regulatory frameworks such as the privacy shield, faced charges of deception under Section 5 of the FTC Act.
The December opinion in the Cambridge Analytica matter, in which the FTC found that the company had falsely claimed it would not collect identifiable information about consumers, offers further insights into how the FTC may view its enforcement role regarding the privacy shield.
Among other allegations, the FTC cited Cambridge Analytica for claiming to participate in the privacy shield and adhere to the framework’s principles, two claims the FTC said were false or deceptive. This case was the first one in which the FTC alleged consumer injury in connection with a privacy shield violation.
Additionally, in most of the privacy shield cases, the FTC alleged deception despite lack of claims that the company failed to comply with substantive requirements of the framework or that the representations were material to a customer’s purchase decision. A company that is a target of a litigated enforcement action could defend on the grounds that any misrepresentation was not material—i.e., it is unlikely to affect a consumer’s conduct with respect to the product or service.
Looking Into the Future
Companies of all sizes that operate on both sides of the Atlantic may expect that the FTC will continue to take a hard line on any claims related to the privacy shield, in order to demonstrate to the EU that the U.S. takes its obligations under the framework seriously. The FTC has recently stated that it plans to make its enforcement orders more specific. Adding specificity could help companies navigate Privacy Shield compliance.
Additionally, the strength of the FTC’s aggressive position may be tested in the RagingWire Data Centers case, in which the FTC alleges that the data storage services company violated Section 5 of the FTC Act by stating on its website that it complied with the privacy shield even though its privacy shield certification had lapsed.
RagingWire contends that any misrepresentation about its privacy shield compliance “was not and could not have been material to RagingWire’s customers” because the company’s business is “providing physical spaces to house servers owned and operated by its customers…and [it] does not have access to data on its customers’ servers.”
A hearing for this case is currently set for July.
How to Navigate Required Compliance
Companies that wish to transfer consumer data from the EU to the U.S. should carefully examine the statements they make in their privacy policies. Participation in the framework is voluntary, but companies making any statements must abide by them.
Also, an important framework requirement is annual recertification, and therefore, tracking the certification’s expiration date should be part of every company’s compliance management system.
Companies may be surprised to learn they are under ongoing obligations even after they stop participating in the privacy shield. More specifically, companies must continue applying privacy shield protections to personal information they collected while participating in the program, and protect the data by other means specified in the framework.
While the FTC is clearly flexing some enforcement muscle on privacy shield compliance, working successfully within the framework is achievable with some foresight and attention to detail.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Elizabeth E. McGinn, a partner at Buckley LLP, focuses her practice on assisting clients in identifying, evaluating, and managing the risks associated with cybersecurity, internal privacy, and information security practices, as well as those of third-party vendors. A significant part of her practice involves addressing data security breaches, working proactively with clients to prevent data security breaches, and responding to regulatory inquiries, investigations, and enforcement actions related to privacy, information security, and cybersecurity issues.
Jonathan D. Jerison, a senior counsel at Buckley LLP who previously was with the Federal Trade Commission, counsels financial services clients on the consumer protection regulatory, legislative, and transactional matters that impact their business.
Magda Gathani is an associate at Buckley LLP, where she assists clients in a wide range of regulatory, compliance, and licensing matters, and counsels clients on compliance with privacy and data security laws.