On February 29, the FTC announced more tentative details of the Privacy Shield program, subject to a determination of adequacy from the EU prior to implementation.[1]  The documents provided concurrent with the announcement suggest that the Privacy Shield program likely will include the following requirements in its final form:[2]

  • Obtain affirmations from organizations that they will follow rules on consent, relevance, proportionality, access, and correction[3];
  • Make arbitration available for disputes;
  • Additional information to be provided to data subjects, including a declaration of the organization’s participation in the Privacy Shield program, a statement of right of access to PII by data subject, and the identification of the arbitration forum for disputes;
  • Stronger controls on data transfers to third-party data controllers, including assurances that “the recipient will provide the same level of protection as the (EU) Principles”;
  • Stronger controls on data transfers to third-party data processors and “agents,” including assurances that “the recipient will provide the same level of protection as the (EU) Principles”;
  • Obtain assurances from organizations that they will remain responsible for misuse, even if its responsibilities were delegated to other controllers, processors, or “agents”;
  • Commitments by organizations to “respond expeditiously” to EU member complaints “through the Department (FTC)”;
  • That the FTC “verify self-certification requirements” provided by organizations, including commitments by the organizations to “cooperate with the appropriate EU data protection authorities”;
  • More extensive verification of, and follow up on, expired certifications and organizations that have been removed; and
  • Commitment by the FTC to work more closely with European data protection authorities.

Concurrent with the release, the FTC repeatedly assures the EU that the FTC will vigorously enforce the requirements of the Privacy Shield program.  Just as interestingly, there appears to be a “national security” exemption for U.S. intelligence that remains to be discussed.[4]

_______________________________

[1] Press Release, Statement of FTC Chairwoman Edith Ramirez on EU-US Privacy Shield Framework (FTC Feb. 29, 2016); see also Sayer, Five Things You Need to Know About the EU-US Privacy Shield Agreement (PC World Feb. 29, 2016) (stating draft program is still subject to approval).

[2] Package to the European Commission, Commissioner of Justice, from the US Dept. of Commerce, dated Feb. 23, 2016, which includes a package with tentative details on the Privacy Shield program, subject to an adequacy decision, at p. 5-11, available at https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf?utm_source=govdelivery

[3] Instead of “correction,” the words used for the summary initial details are actually “recourse mechanisms.”  Id. at p. 5.  It remains to be seen whether “recourse mechanisms” will be read to include the now infamous EU-“right to be forgotten.”  But see id. at p. 34, Section 8(a)(i)(3) (on “hav[ing] the data corrected, amended, or deleted…”  Because this publication is being released before any further clarification has been released, “correction” was selected as the best description of the new tentative requirement.

[4] Id. at p. 10.