The FTC and the new US-EU framework for data transfer

By: Elsa Mandel

http://europa.eu/rapid/press-release_IP-16-216_en.htm

On February 2nd, the European Commission and the United States announced their agreement on the “Privacy Shield”, a new legal framework for data flows between the EU and the US that would replace the former “Safe Harbor” mechanism.

The international Safe Harbor was an agreement between the EU and the US that laid down principles that enabled US companies to comply with privacy laws protecting European Union citizens. In a nutshell, this “Safe Harbor” was a way for american companies to self-certify to the Commerce Department that they complied with the European standards of data transferring and processing. Within this mechanism, the role of the FTC was then to enforce those promises.

In October 2015, after a user complained that his Facebook data were insufficiently protected, the European Court of Justice declared that the Safe harbor Mechanism was invalid.

The new “Privacy Shield” framework that was announced at the beginning of February sets out stronger obligations for companies in the United States to protect the personal data of European citizens.

More than material changes on the Safe Harbor substantive principles, the US government has also guaranteed that the Privacy Shield would bring a stronger enforcement of these principles.

Notably, European consumers will benefit from a more direct access to US enforcement. They will have the possibility to file a complaint directly before the FTC, and European Data Protection Agencies ‘referrals to the FTC will be facilitated.

In reaction to these announcements however, Commissioner Brill of the FTC noted that consumers from the European Union would, in most cases, go directly to their own DPAs before filing a complaint with the FTC.

Other than that, the FTC’s enforcement will remain the same, and the Commission will continue to enforce promises to abide by the Safe Harbor, even though it has been invalidated, based on §5 of the FTC Act.

Most likely, the Privacy Shield will have the effect of strengthening cooperation on cross-border data transfers between consumers and government agencies such as the FTC, and clear mechanisms will have to be set up in order to ensure good communication between national DPAs and the FTC.