Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Continue Reading How to Rise from the Privacy Shield Ashes: A View from the U.S.

The FTC recently finalized settlements with five companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework. In each complaint, the FTC alleged that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. made false and misleading representations when they stated that they participated under the Privacy Shield framework on their website when they were not participants under the framework. Additionally, in the complaint against EmpiriStat, Inc., the FTC alleged that EmpiriStat, Inc. made a false and misleading representations when it stated that it was a current participant under the Privacy Shield framework on its website after it had allowed its certification to lapse and had been warned by the U.S. Department of Commerce to take down its claim of participation.
Continue Reading FTC Finalizes Five Settlements Regarding Privacy Shield Claims

Many organizations are currently focused on updating their privacy policy to include content required by CCPA. While making those edits, now is a good time to take a step back and think more broadly about privacy program and operations generally, and in particular about the non-CCPA parts of your privacy policy.
Continue Reading Is Your Privacy Policy Ready for 2020?

Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.
Continue Reading A Look Back at 2018 Privacy Shield Enforcement

The EU and Japan have reached a “reciprocal adequacy” agreement to allow data to flow more easily between them. As part of a larger bilateral trade deal which included commitments by both parties to reduce tariffs, Japan also agreed to enact additional safeguards to comply with new EU data protection standards. Those additional safeguards include increased data subject rights to access and correction, restrictions upon transfers of EU data from Japan to third countries, and limits on the use of sensitive data. Japan’s independent data protection authority would have enforcement authority over the new rules, and would investigate and resolve complaints from European data subjects. If it is approved by internal committees and regulators in both the EU and Japan, the deal will come into effect this Fall. This agreement comes after pressure this summer from the EU Parliament to suspend the US-EU agreement currently in place (the “Privacy Shield” program).
Continue Reading EU and Japan Strike Tentative Data Transfer Deal

The Department of Commerce issued an update to explain how it has supported the E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks. As we have written previously, the Shield gives E.U. companies a basis under which it can send personal data to entities in the U.S. The comments from Commerce come after the Europeans raised concerns about the sufficiency of the program, which gets re-evaluated annually.
Continue Reading DoC Comments on Privacy Shield In Advance of GDPR