It’s been five months since the EU introduced its sweeping General Data Protection Regulation (GDPR), but despite its global compliance mandates, US enterprises that handle EU-based personal data have not exactly moved in droves to become compliant. A 2015 United States Census Bureau survey estimated around 46.5 million businesses operating in the United States. To date, only 3,858 of them have self-certified under the EU-US Privacy Shield Framework.
National data regulator activity in the first four months of the GDPR suggests a change in attitude is required in order for American businesses to avoid the serious financial penalties and reputational damage caused by a violation decision. Some big names have caught on – Google and Dropbox both secured Privacy Shield certification last month. But most have not.
On paper, the GDPR enables sanctions against any undertaking worldwide which violates its provisions. In practice, the Regulation’s reach depends on the tenacity of national data regulators.
The UK’s Information Commissioner’s Office has already issued its first enforcement action under the Data Protection Act 2018, which activated the Regulation in the UK. The Enforcement Notice was issued against AggregateIQ Data Services Ltd, a company headquartered in Victoria, Canada, citing concern over the use of EU citizens’ personal data it had obtained from a third party, under pretense of behavioral marketing, for political advertising in 2016. The Notice held the entity non-compliant with the Regulation’s provisions relating to lawful processing of data and failure to inform data subjects about the processing of personal data sourced from a third party. AggregateIQ, which under the Regulation could be penalized up to the greater of €20 million or 4% of global turnover, has moved to appeal the Notice.
EU-US Privacy Shield Certification
There are frameworks in place which permit overseas businesses to use EU citizens’ personal data in compliance with the Regulation. A cost-effective and relatively straightforward measure businesses can take is to self-certify under the US-EU Privacy Shield Framework. The Framework is the product of an agreement between the EU Commission and US Department of Commerce, in which it was ruled to offer equivalent data protection to the provisions of the Regulation.
Self-certification is achieved through submitting a business’s data-protection policies for approval by the US Department of Commerce. In order to be approved, these policies must include detail on:
- The business’s obligations under the Privacy Shield Framework;
- The rights of data subjects under the Privacy Shield Framework;
- Independent recourse mechanisms by which disputes can be resolved (these potentially involve a binding arbitration decision issued by the Framework’s Privacy Shield Panel); and
- Acknowledgement of the right of the Federal Trade Commission (FTC) to enforce non-compliance measures.
On approval, the business will be publicly listed as Privacy Shield certified. It is of course necessary to adhere closely to the self-certification requirements, as the FTC can sanction businesses which falsely claim or improperly implement certification. Last month, it brought charges against three US businesses on these grounds.
In September 2017, US and EU officials conducted the first annual review of the EU-US Privacy Shield Framework, concluding then that it continued to provide adequate protection for personal data transfers. At the second annual review of the Framework, currently under way, the European Data Protection Board has already voiced concerns regarding protection of personal data gathered by US national security agencies. This issue is not going away.
For now, self-certification under the EU-US Privacy Shield Framework is a relatively cost-efficient means of protecting a business from serious penalties, both financial and reputational, resulting from a complaint brought by an EU-based employee, client or customer.
If you have any questions or need assistance, we’re ready to help.
Who to call?
New York – Allan Rooney, Founding Partner – firstname.lastname@example.org +1 212 545 8022
London – Edward Sloan, Founding Partner London – email@example.com– +44 (0)208 629 2151
This article is one of a series intended to de-mystify common legal issues for the non-lawyer and entrepreneur audience – they are designed to foster discussion and is by no means exhaustive. These materials are for informational purposes only. Nothing herein is intended nor should be regarded as legal advice. The distribution of this article to any person does not establish an attorney-client relationship with our firm. Rooney Nimmo assumes no liability in connection with the use of this publication. This bulletin is considered attorney advertising under the applicable rules of New York State. Rooney Nimmo UK is regulated by the Law Society of Scotland and Rooney Nimmo US by the New York Rules of Professional Conduct. All Attorneys and Solicitors listed in this firm stipulate their jurisdictional limitations. Rooney Nimmo in the USA is a law firm registered as a New York State Professional Corporation.