FAQ: How is the Privacy Shield Framework being enforced?
The EU-U.S. Privacy Shield is a self-certifying framework for protecting personal data transferred from the European Union to the United States. The framework was agreed to Under the Privacy Shield, if a company wants to transfer personal data outside of the European Union, it must be deemed to provide “adequate” privacy protection Why did the Federal Trade Commission charge three U.S. companies with not complying with the EU-U.S. Privacy Shield Framework?
In three separate cases announced in September 2017, the Federal Trade Commission (FTC) alleged that Decusoft LLC, Md7 LLC, and Tru Communication Inc. made false claims about participating in the EU-U.S. Privacy Shield. Specifically, the companies misrepresented their status in regard to the certification process, according to the FTC.
The privacy policies on Decusoft’s website included statements that the company had certified its compliance when it had not. Decusoft is a New Jersey-based business that develops software for human resources applications. Although the company had initiated its Privacy Shield certification application, it did not complete all of the necessary steps.
Md7’s website included the statement that the company “complies with the EU-U.S. Privacy Shield Framework as set forth The website of Tru Communication — a California-based printing company also known as TCPrinting.net — stated that the company “will remain compliant and current with Privacy Shield at all times” when it had not completed the certification.
Related content
Companies settle Privacy Shield charges with FTC
Privacy Shield enforcement for noncompliance
What is the significance of the FTC’s first three Privacy Shield enforcement actions?
The cases brought against Decusoft, Md7 and Tru Communication were the first actions the Federal Trade Commission took against false claims regarding the Privacy Shield. Earlier in the year, a number of European regulators and privacy advocates had expressed concern about the U.S. government’s commitment to the privacy framework. In July, Human Rights Watch and Amnesty International warned that U.S. surveillance laws and programs are so broad and poorly safeguarded that they render the Privacy Shield invalid.
The FTC announced its first three enforcement actions about one week before European officials and U.S. government officials met in Washington for the first annual joint review of the Privacy Shield Framework.
Related content
FTC: Settlements affirm Privacy Shield commitment
EU regulators head to U.S. to review efficacy of Privacy Shield framework
How were the U.S. companies penalized for the Privacy Shield charges initiated Decusoft, Md7 and Tru Communication agreed to settle the charges brought Related content
Privacy Shield review to focus on enforcement efforts
Fact sheet: Requirements to remain compliant with the Privacy Shield Framework
Are privacy advocates satisfied with the efficacy of the framework?
Several civil liberties organizations, including Amnesty International, Human Rights Watch and the American Civil Liberties Union, have voiced concern that the Privacy Shield does not sufficiently protect Europeans’ data privacy. In a joint letter to the European Commission on July 26, 2017, Human Rights Watch and Amnesty International called for the framework to be re-evaluated, arguing that U.S. protection of personal data is not equivalent to that guaranteed within the European Union.
The groups called on Europe to encourage the U.S. government to adopt binding reforms to comply with the EU’s Charter of Fundamental Rights. The groups maintain that current protections fall short of EU standards, especially when U.S. foreign intelligence surveillance laws and programs are considered.
Related content
Human Rights Watch: U.S. surveillance techniques render Privacy Shield invalid
Privacy Shield draft draws criticism from data protection advocates
Is the Privacy Shield working?
The European Commission issued its first annual report on the Privacy Shield Framework on Oct. 18, 2017, a little over a month after the Federal Trade Commission publicized its enforcement actions against three U.S.-based companies.
According to the report, the United States has stepped up its procedures for handling data privacy complaints and enforcement. It also said that the Privacy Shield certification process is working well. Nonetheless, the commission called for greater compliance monitoring, recommending that the Department of Commerce conduct regular searches for companies that make false claims about their participation. It also recommended more cooperation between the Commerce Department, the FTC and the EU Data Protection Authorities.
EC Commissioner for Justice, Consumers and Gender Equality Věra Jourová stated in the report that the framework is “a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards.”
The report also recommended that the U.S. administration make a permanent appointment to the position of Privacy Shield ombudsperson as soon as possible.
Related content
European Commission: Privacy Shield working, but improvements needed
EU-U.S. Privacy Shield: First annual review