Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Continue Reading How to Rise from the Privacy Shield Ashes: A View from the U.S.

The FTC recently finalized settlements with five companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework. In each complaint, the FTC alleged that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. made false and misleading representations when they stated that they participated under the Privacy Shield framework on their website when they were not participants under the framework. Additionally, in the complaint against EmpiriStat, Inc., the FTC alleged that EmpiriStat, Inc. made a false and misleading representations when it stated that it was a current participant under the Privacy Shield framework on its website after it had allowed its certification to lapse and had been warned by the U.S. Department of Commerce to take down its claim of participation.
Continue Reading FTC Finalizes Five Settlements Regarding Privacy Shield Claims

Many organizations are currently focused on updating their privacy policy to include content required by CCPA. While making those edits, now is a good time to take a step back and think more broadly about privacy program and operations generally, and in particular about the non-CCPA parts of your privacy policy.
Continue Reading Is Your Privacy Policy Ready for 2020?

The EU Commission concluded its third annual review of the EU-U.S. Privacy Shield and found that it continues to provide an adequate level of protection for EU personal data. The program was created as a mechanism to facilitate transfers of personal data from the EU to the US. It is reviewed annually by the EU Commission, as we have discussed in prior posts. That body did express concern with some parts of the program. This included a fear that US Department of Commerce’s monthly pro-active checks of companies may be too surface level, and did not necessarily include review of  the companies’ privacy provisions in vendor contracts.
Continue Reading The Privacy Shield Survives Another EU Commission Review, For Now…

The EU and Japan have reached a “reciprocal adequacy” agreement to allow data to flow more easily between them. As part of a larger bilateral trade deal which included commitments by both parties to reduce tariffs, Japan also agreed to enact additional safeguards to comply with new EU data protection standards. Those additional safeguards include increased data subject rights to access and correction, restrictions upon transfers of EU data from Japan to third countries, and limits on the use of sensitive data. Japan’s independent data protection authority would have enforcement authority over the new rules, and would investigate and resolve complaints from European data subjects. If it is approved by internal committees and regulators in both the EU and Japan, the deal will come into effect this Fall. This agreement comes after pressure this summer from the EU Parliament to suspend the US-EU agreement currently in place (the “Privacy Shield” program).
Continue Reading EU and Japan Strike Tentative Data Transfer Deal

On February 29, 2016, the European Commission and United States released the terms of the much-anticipated renewed framework for the transfer, sharing, and processing of European individuals’ data to the United States. The framework replaces the “Safe Harbour” mechanism, which enabled U.S. companies to transfer data from the EU to the United States by self-certifying that their practices ensured an adequate level of protection for personal data under the EU Data Protection Directive. In October, the “Safe Harbour” framework was declared invalid by the European Court of Justice in the Schrems decision covered earlier in this blog.
Continue Reading EU-US Privacy Shield: Brace Yourself . . . or Maybe Not