This month we’re celebrating Privacy Shield’s first birthday (admittedly, a bit belated) with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know. If you are looking for a quick primer on Privacy Shield, please check out our previous post here. Once you’re ready, read on:

FTC Enforcement Has Arrived

On September 8, we got our first taste of Privacy Shield enforcement. The FTC announced enforcement actions against three companies for allegedly making false statements in their privacy policies that they participated in Privacy Shield when they had not actually registered as participants with the Department of Commerce (DoC). The FTC entered into consent orders with the companies, which prohibited the companies from misrepresenting their participation “in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Further, the consent orders required the companies to comply with report and notice, recordkeeping, and monitoring obligations, some of which extend 20 years.

These enforcement actions shed light on basic mistakes that can lead to FTC scrutiny. Each of the companies involved in these enforcement actions posted a privacy policy indicating it participated in Privacy Shield. Further, each of the companies started the Privacy Shield registration process with the DoC, but did not complete it. And it is not difficult to imagine the facts that led to such circumstances – because the Privacy Shield registration process requires companies to update their privacy policies prior to DoC review, these companies likely updated their privacy policies as part of the registration process, yet failed to complete their applications for one reason or another. The DoC then identified these companies as failing to complete their applications, cross-referenced the companies’ privacy policies for representations about Privacy Shield, and referred them as violators to the FTC.

So how do you avoid these mistakes? For starters, if you begin the Privacy Shield registration process with the DoC, make sure to complete the process, which may require responding to specific requests from the DoC. If you are already registered, do not forget to renew your self-certification on an annual basis – for many companies, the first annual renewal is already due. If you decide not to complete the process or renew your self-certification, remove any references to Privacy Shield from your privacy policy. As always, never copy and paste template language from another company’s privacy policy as that could result in representations that do not accurately reflect your practices.

Expect Continued and Amplified Enforcement by the FTC

The Court of Justice of the European Union (CJEU) invalidated the old Safe Harbor Framework, in part due to alleged lack of oversight and enforcement. When constructing Privacy Shield, EU and U.S. representatives worked to address this issue by adding a requirement that the U.S. government and participants must submit each year to a review by the European Commission of their compliance with the Privacy Shield Principles. The first annual review took place during the week of September 20, and concluded with a joint statement from the European Commission and U.S. Secretary of Commerce indicating continued support and commitment to Privacy Shield. European regulators are expected to publish a written report later this month detailing the discussions and potential areas for improvement.

While Privacy Shield appears to have survived its first annual review, we expect the written report to demand stronger enforcement by the FTC. Such outcome is particularly likely given that the FTC previously brought enforcement actions similar to those announced on September 8 for alleged violations of the Safe Harbor Framework, yet such enforcement actions were not sufficient to save Safe Harbor from invalidation. In order to prove its commitments under Privacy Shield, the FTC will need to look beyond companies that misrepresent their participation in Privacy Shield, and it is likely that future FTC enforcement actions will dig deeper into company practices. If you participate in Privacy Shield, you should routinely document your compliance with the Privacy Shield Principles, including the Principles of Choice and Accountability for Onward Transfer, and make sure to complete your annual compliance review requirement.

All Participants Must Pay a New Fee to Establish the Arbitral Fund

Privacy Shield requires the DoC to establish a fund to cover arbitrator costs for proceedings brought pursuant to the Privacy Shield arbitration requirement. Earlier this month, the DoC announced details about the arbitral fund, including that the fund will be managed by the Dispute Resolution-American Arbitration Association (ICDR-AAA) and all Privacy Shield participants must pay a fee to establish the fund. This arbitral fund fee is in addition to the required registration and renewal fees. Companies applying to participate in Privacy Shield must now pay the fee when they register with the DoC while companies already participating in Privacy Shield must pay the fee no later than November 2. If you participate in Privacy Shield, make sure to pay the fee before the deadline as failure to pay the fee could cause your participation status to lapse and potentially result in an FTC enforcement action. You can pay the fee here.

Standard Contractual Clauses under Scrutiny

As most Privacy Shield participants know, Privacy Shield is only one option for lawful data transfers from the EU to the U.S. Standard contractual clauses or “model clauses” are another important option, which became even more prevalent after the CJEU invalidated Safe Harbor. Following the invalidation of Safe Harbor by the CJEU in October 2015, the plaintiff from that matter, Max Schrems, brought a similar case with the Irish Data Protection Commission (DPC) against Facebook challenging the validity of standard contractual clauses. In May 2016, the DPC referred the case to the Irish High Court on grounds that standard contractual clauses are likely invalid but the DPC does not have the authority to declare them invalid under EU law. Last week, on October 3, the Irish High Court also punted by finding that standard contractual clauses pose “well founded concerns” and referring the case to the CJEU.  We now find standard contractual clauses in a similar position to the circumstances that led to the invalidation of Safe Harbor in 2015.

Although standard contractual clauses are still valid and the CJEU is not expected to render a decision for a year or two, companies currently dependent on standard contractual clauses for the transfer of data from the EU to the U.S. should strongly consider applying for self-certification under Privacy Shield. While Privacy Shield does not address data transfers from the EU to countries other than the U.S., having an alternative mechanism in place to address EU-U.S. data transfers may help companies become less dependent on standard contractual clauses and be better prepared in the event the CJEU invalidates standard contractual clauses.