The invalidation of the Privacy Shield by the recent Schrems decision has left businesses scrambling as to their data transfers abroad. The FTC can be looked at as a source of guidance for businesses grappling with data transfers in this uncertain landscape.
In July, the European Union Court of Justice (CJEU) issued the Schrems II (C-3111/18) decision, invalidating the EU-US Privacy Shield Framework. The EU-US Privacy Shield was a mechanism used to allow United States businesses to transfer and store European Union personal data in the United States. The ruling in this case renders the United States an inadequate country without special access to Europe’s personal data streams. However, while the Privacy Shield has been declared invalid, the CJEU ruled international data flows under the General Data Protection Regulation (GDPR) can continue under EU Standard Contractual Clauses. The continuation under the Standard Contractual Clauses calls into question the future of international data flows between the United States and the European Union.
Despite the Schrems II decision invalidating the Privacy Shield Framework, here in the United States, the Federal Trade Commission (FTC) will continue to hold companies to its principles. With broad civil enforcement authority to promote consumer protection and competition in the commercial sphere, the FTC will hold companies accountable for violating international data commitments to protect data transfers across the Atlantic Ocean, despite the framework being rejected, including adherence to the following principles:
- Notice of participation, types of data collected, and purposes for the data collected.
- Choice of individuals to opt out or consent to types of data being collected.
- Companies taking accountability for onward transfers of personal data collected by third parties while complying with Notice and Choice Principles.
- Companies taking reasonable and appropriate security measures to mitigate risks associated with maintaining personal data collection.
- Ensuring data integrity and purpose legitimation to confirm data is reliable and compatible for collected purposes.
- Ensuring individuals have access to the personal data organizations hold.
- Incorporating robust mechanisms to ensure company compliance and recourse for individuals who fall victim to noncompliance procedures.
Data security and privacy continue to be a major part of ongoing antitrust investigations on technology platforms. Europe is determined to provide strong privacy protections, hinting that data security is one of its key priorities relating to the exponential growth in data collections. Although the Privacy Shield is no longer a viable mechanism to comply with EU data protection requirements, the US is not relieved of its prior obligations.
We encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they accurately describe their privacy practices, including with regard to international data transfers.
At Octillo, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States. Octillo works with clients to review current policies and assess data security practices. Our team can help implement a plan to address any related data privacy legislation and be the appropriate legal counsel to help your company better understand the legal implications surrounding transatlantic data information transfers.
*Attorney Advertising. Prior results do not guarantee similar outcomes.
Subscribe to our Newsletter.