Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. federal privacy legislation, it is of little to no surprise (albeit disappointing) that the European Court of Justice (the “Court”) invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.

 

What is Privacy Shield and What Happened to Change it?

The EU-U.S. Privacy Shield Framework (“Privacy Shield”), as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”


Continue Reading European Court of Justice Invalidates EU-U.S. Privacy Shield and Upholds Standard Contractual Clauses

For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.

Continue Reading A Privacy Shield Enforcement Action: More to Come?

This month we’re celebrating Privacy Shield’s first birthday (admittedly, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. If you are looking for a quick primer on Privacy Shield, please check out our previous post here. Once you’re ready, read on:
Continue Reading Privacy Shield: Year One Updates You Need To Know

2016 brought important news for any company that transfers across borders, or receives cross-border transfers of, consumer or employee personally identifying data (very broadly defined). On July 12th, the European Commission adopted the so-called “Privacy Shield” mechanism for data transfer between the European Economic Area and the US. US companies that choose to do so were able to self-certify for the Shield beginning August 1, 2016. But while approval of the Shield is welcome news to many companies that relied on the previously invalidated Safe Harbor Framework, not everyone will want to take advantage of it. Alternative data transfer mechanisms still exist. And for some companies the Privacy Shield may ultimately lead to more, not less, risk. Here’s a summary of what you need to consider.

Continue Reading The New “Privacy Shield”: What Does it Mean for Your Company?