Data Protection Report - Norton Rose Fulbright

FTC Commissioner Julie Brill sat down this morning with the Information Technology and Innovation Foundation to discuss the EU-US Privacy Shield, the new framework for transatlantic transfer of personal data announced earlier this week.

Commissioner Brill began by discussing the agreement generally, and provided valuable insight on the role of the Federal Trade Commission (FTC) and the implications of the EU-US Privacy Shield for commercial entities in the US. Read on for a discussion of key takeaways from the event.

Role of the FTC

Commissioner Brill elaborated on the role of the FTC under the new cross border data transfer framework.  The EU-US Privacy Shield has expanded the mechanisms to address European consumer complaints regarding the processing of their data in the US – consumers can now express concerns directly to companies, engage in alternative dispute resolution, evoke direct arbitration, go to their country Data Protection Authority (DPA), or file a complaint with the FTC.

Commissioner Brill noted that she expects most consumers to go directly to their DPA before reporting complaints to the FTC. Commissioner Brill also praised the EU-US Privacy Shield for strengthening communication on cross border data transfer issues not just between consumers and regulators, but also between government agencies such as the FTC and the Department of Commerce.

Potential Complications

Any new agreement brings with it the potential for complication, and Commissioner Brill focused on several issues that the EU-US Privacy Shield may face.
First, there is a concern with the amount of resources available within the DPAs. As noted, Commissioner Brill expects that most consumer complaints will be filed first with the DPAs. However, the amount of resources the DPAs have to respond to complaints is, from Commissioner Brill’s perspective, a “huge issue” that has not received enough attention.
Commissioner Brill also believes that court challenges to the EU-US Privacy Shield are inevitable. The concern is that those challenges may not take into account the strides that have been made in the areas of privacy and national security since the first Safe Harbor framework was developed (and later invalidated). To combat misinformation, Commissioner Brill stressed the importance of educating the European public and members of Parliament alike.

Advice for Companies

Finally, Commissioner Brill provided advice for companies that are currently involved in the transatlantic transfer of personal information.

The FTC will continue to enforce the pre-existing Safe Harbor principles against companies who represent that they abide by such principles. Commissioner Brill suggested that companies evaluate the types of mechanisms they can use to transfer data now that Safe Harbor is not a valid transfer mechanism, such as Standard Contractual Clauses and Binding Corporate Rules, but recognized that each is expensive, complicated, and may not be appropriate for all data transfers.

Once the EU-US Privacy Shield has been evaluated by the Article 29 Working Party, likely in early March, companies will have to examine the more robust obligations of the new framework and ensure that they are compliant before relying on the framework for data transfers. Commissioner Brill specifically mentioned additional protections for onward transfers, which will impose obligations on both controllers who transfer EU data and entities receiving such data, as an area where companies should focus attention.

Ultimately, Commissioner Brill provided an interesting perspective on the state of cross border data transfer following the announcement of the EU-US Privacy Shield. We will continue to monitor reactions to the new framework on our blog.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.