EU-US Privacy Shield

We’ve discussed the nature of this before, but the EU-US Privacy Shield has gone into full effect. This program essentially restricts the ability of U.S. commercial entities to do business in the European Union due to the ability of the U.S. government to use international businesses to improperly conduct surveillance on citizens within the European Union.  In response, the European Union removed the blanket ability of U.S. companies to do business with European Union members as part of the Safe Harbor provision. The Safe Harbor provision was loosely drafted in its self-certification, prompting the switch to the Privacy Shield today. As it stands now, this program is still in its fledgling stages, with registrations beginning on August 1, 2016.  These registrations begin with a murky area of international commerce. So, how could one join the privacy shield? Is your organization even be eligible? What might happen if an organization refuses to participate?

How can you join the Privacy Shield?

The Privacy Shield is open to any business that is subject to regulation by the Federal Trade Commission (FTC) or Department of Transportation (DOT).  In general, conducting business and affecting commerce would qualify entities under this regulation, although, there are some exceptions, such as, financial institutions, labor associations, and non-profit organizations that may not qualify.  After meeting the base qualifications, an entity may then “self-certify” by coming up with a plan that meets the basic requirements of the EU-US Privacy Shield.  This would include measures to protect the data of European customers and employees stationed in Europe, even after ending participation in the Privacy Shield.

What are the consequences for an entity breaking the Privacy Shield?

For not certifying, the current consequences are unclear. Currently, Apple and Facebook have yet to certify, and given how the Privacy Shield got its start, this would be an interesting loophole in the registration process. Any consequences to violating the law would likely come from European privacy laws, if an entity were to violate it during data transfers.  However, after certification, the FTC and DOT would have jurisdiction.  This could be done, in part, by the Ombudsmen, as well as, various systems that are required for entities to have set up in order to promote privacy. Indeed, businesses are allowed to use a number of Arbitration services, like JAMS, Better Business Bureau, or American Arbitration Association.  In addition, even after registration, if an entity opted out of the program, all information gathered during its participation in the program will have to be treated as if it were still in the market.

The EU-US Privacy Shield appears to be an interesting addition to international commerce regulations.  Although, it remains unseen if the EU-US Privacy Shield will maintain effectiveness over the old safe harbor provisions, however, we are here to help with questions. At our law firm, we assist clients with legal issues related to business, intellectual property, cybersecurity, and e-commerce transactions.  You may contact us to set up an initial consultation.