maxkabakov - Fotolia

FAQ: How is the Privacy Shield Framework being enforced?

The FTC has issued its first enforcement actions for companies found in violation of the EU-U.S. Privacy Shield Framework, but are the rules doing enough to protect consumer data?

The EU-U.S. Privacy Shield is a self-certifying framework for protecting personal data transferred from the European Union to the United States. The framework was agreed to by the European Commission and the U.S. Department of Commerce on Feb. 2, 2016, and replaced the Safe Harbor Framework. Privacy Shield was designed to impose more stringent data protection obligations on U.S. businesses and establish a stronger enforcement scheme for the Commerce Department and the Federal Trade Commission.

Under the Privacy Shield, if a company wants to transfer personal data outside of the European Union, it must be deemed to provide "adequate" privacy protection by certifying to the Commerce Department that the company complies with the Privacy Shield Principles. More than 2,400 companies were certified under the Privacy Shield in the first year after it was launched, according to the European Commission's (EC) first annual report on the framework. That number is greater than all the companies that participated in the safe harbor agreement during the final 10 years it was in place.

Why did the Federal Trade Commission charge three U.S. companies with not complying with the EU-U.S. Privacy Shield Framework?

In three separate cases announced in September 2017, the Federal Trade Commission (FTC) alleged that Decusoft LLC, Md7 LLC, and Tru Communication Inc. made false claims about participating in the EU-U.S. Privacy Shield. Specifically, the companies misrepresented their status in regard to the certification process, according to the FTC.

The privacy policies on Decusoft's website included statements that the company had certified its compliance when it had not. Decusoft is a New Jersey-based business that develops software for human resources applications. Although the company had initiated its Privacy Shield certification application, it did not complete all of the necessary steps.

Md7's website included the statement that the company "complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from Individual Customers in the European Union member countries." However, the California-based company, which works with the wireless industry to manage cellphone tower sites, had not received its Privacy Shield certification.

The website of Tru Communication -- a California-based printing company also known as -- stated that the company "will remain compliant and current with Privacy Shield at all times" when it had not completed the certification.

Related content
Companies settle Privacy Shield charges with FTC
Privacy Shield enforcement for noncompliance

What is the significance of the FTC's first three Privacy Shield enforcement actions?

The cases brought against Decusoft, Md7 and Tru Communication were the first actions the Federal Trade Commission took against false claims regarding the Privacy Shield. Earlier in the year, a number of European regulators and privacy advocates had expressed concern about the U.S. government's commitment to the privacy framework. In July, Human Rights Watch and Amnesty International warned that U.S. surveillance laws and programs are so broad and poorly safeguarded that they render the Privacy Shield invalid.

The FTC announced its first three enforcement actions about one week before European officials and U.S. government officials met in Washington for the first annual joint review of the Privacy Shield Framework.

Related content
FTC: Settlements affirm Privacy Shield commitment
EU regulators head to U.S. to review efficacy of Privacy Shield framework

How were the U.S. companies penalized for the Privacy Shield charges initiated by the Federal Trade Commission?

Decusoft, Md7 and Tru Communication agreed to settle the charges brought by the FTC. By agreeing to proposed settlement orders, the companies did not have to admit any guilt. The orders ban the companies from misrepresenting their compliance with any privacy program sponsored by a government, self-regulatory or standard-setting organization. The orders also set out a number of reporting and notification requirements. If a final consent order is violated, a civil penalty of up to $40,654 could be imposed on the violating company.

Related content
Privacy Shield review to focus on enforcement efforts
Fact sheet: Requirements to remain compliant with the Privacy Shield Framework

Are privacy advocates satisfied with the efficacy of the framework?

Several civil liberties organizations, including Amnesty International, Human Rights Watch and the American Civil Liberties Union, have voiced concern that the Privacy Shield does not sufficiently protect Europeans' data privacy. In a joint letter to the European Commission on July 26, 2017, Human Rights Watch and Amnesty International called for the framework to be re-evaluated, arguing that U.S. protection of personal data is not equivalent to that guaranteed within the European Union.

The groups called on Europe to encourage the U.S. government to adopt binding reforms to comply with the EU's Charter of Fundamental Rights. The groups maintain that current protections fall short of EU standards, especially when U.S. foreign intelligence surveillance laws and programs are considered.

Related content
Human Rights Watch: U.S. surveillance techniques render Privacy Shield invalid
Privacy Shield draft draws criticism from data protection advocates

Is the Privacy Shield working?

The European Commission issued its first annual report on the Privacy Shield Framework on Oct. 18, 2017, a little over a month after the Federal Trade Commission publicized its enforcement actions against three U.S.-based companies.

According to the report, the United States has stepped up its procedures for handling data privacy complaints and enforcement. It also said that the Privacy Shield certification process is working well. Nonetheless, the commission called for greater compliance monitoring, recommending that the Department of Commerce conduct regular searches for companies that make false claims about their participation. It also recommended more cooperation between the Commerce Department, the FTC and the EU Data Protection Authorities.

EC Commissioner for Justice, Consumers and Gender Equality Věra Jourová stated in the report that the framework is "a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards."

The report also recommended that the U.S. administration make a permanent appointment to the position of Privacy Shield ombudsperson as soon as possible.

Related content
European Commission: Privacy Shield working, but improvements needed
EU-U.S. Privacy Shield: First annual review

Dig Deeper on SOX and other public company compliance requirements