U.S. Regulators Continue to Administer and Enforce the Privacy Shield
August 6, 2020, Covington Alert
On July 16, 2020, the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield (“Privacy Shield”) in the Schrems II decision. Even though Schrems II invalidated the Privacy Shield with immediate effect as a matter of EU law, U.S. regulators swiftly indicated that they will continue to administer the Privacy Shield and that self-certified companies remain subject to Privacy Shield obligations. This apparent disconnect between EU and U.S. authorities has led to substantial uncertainty for U.S. companies seeking to transfer personal information from the EU to the United States.
The Privacy Shield is administered in the U.S. by the Department of Commerce (“Commerce”). On the same day as Schrems II was decided, U.S. Secretary of Commerce Wilbur Ross issued a statement indicating that Commerce was “deeply disappointed” in the decision but would remain in close contact with EU regulators “to limit the negative consequences” for U.S. companies and trans-Atlantic data flows.
The statement also indicated that Commerce “will continue to administer the Privacy Shield program,” including processing submissions for self-certifications and re-certifications, and that Schrems II “does not relieve participating organizations of their Privacy Shield obligations.” Commerce also issued a similar statement on the Privacy Shield website, indicating that the Privacy Shield “is no longer a valid mechanism” but that while “we work to resolve the situation,” Commerce would continue to administer the Privacy Shield program.
Shortly after Commerce’s statements, the Federal Trade Commission (“FTC”), which enforces Privacy Shield obligations in the U.S., released another statement indicating that companies that are certified to the Privacy Shield must continue complying with its obligations:
We continue to expect companies to comply with their ongoing obligations with respect to transfers made under the Privacy Shield Framework. We also encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they describe their privacy practices accurately, including with regard to international data transfers.
The FTC enforces the Privacy Shield under Section 5 of the FTC Act, generally on the theory that failing to adhere to Privacy Shield obligations is a deceptive practice because companies represent in both their privacy policies and the Privacy Shield website listing that they adhere to the Privacy Shield. FTC Chairman Joe Simons was questioned about the Privacy Shield during August 5 testimony before the Senate Commerce Committee, and reinforced the fact that certified companies have continuing obligations to protect personal information transferred under the Privacy Shield in accordance with the Privacy Shield Principles.
A key question for Privacy Shield certified companies is whether and when companies should remove Privacy Shield language from their privacy policies. Even though the Privacy Shield is invalid, continued compliance with the Privacy Shield Notice Principle requires certain language in privacy policy disclosures. This is further complicated by the fact that the Privacy Shield imposes continuing obligations on data transferred under the framework even after companies “leave the Privacy Shield for any reason.” In addressing this question, relevant considerations will include (1) the scope and language of the current privacy policy; (2) when a company’s Privacy Shield certification is up for renewal; and (3) the company’s approach to replacing the Privacy Shield with alternative mechanisms, such as standard contractual clauses.
If you have any questions concerning the material discussed in this client alert, please contact the following members of our Data Privacy and Cybersecurity practice.
Back
