The Federal Trade Commission (FTC) recently announced a compliance sweep of companies claiming to be in compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield Frameworks. The U.S.-EU Privacy Shield and the U.S.-Swiss Privacy Shield programs enable companies to self-certify that they have adopted a number of data protection practices to bring their businesses in line with European data protection law. Because the U.S. lacks a generally-applicable federal data protection law, and because the standards for data protection in the U.S. are less stringent than those in the EU, the U.S. is considered to be an “inadequate” jurisdiction under European law, and data transfers to the U.S. are generally barred. However, if a company adopts data protection practices consistent with the requirements of European law, it may self-certify compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield with the U.S. Department of Commerce. Adherents to the Privacy Shield frameworks can then represent their data protection practices as “adequate” under EU law, enabling free and legal transfer of personal data regarding EU data subjects to the U.S. under the European Union’s General Data Protection Regulation and Swiss Data Protection Act.
In addition to the enforcement action against SecurTest, the FTC also issued warning letters to 13 companies that claimed to be participants in the long-defunct U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks. The U.S.-EU and U.S.-Swiss Safe Harbor programs were predecessors of the U.S.-EU and U.S.-Swiss Privacy Shield program. The U.S.-EU Safe Harbor program was deemed invalid by the European Court of Justice on Oct. 6, 2015, after Max Schrems, an Austrian privacy activist, brought a complaint against Facebook challenging the adequacy of the protection afforded to European data under the Safe Harbor framework. Following the decision by the European Court of Justice, the Swiss Data Protection Authority determined that the U.S.-Swiss Safe Harbor did not accord adequate protection for data transferred from Switzerland and declared the U.S.-Swiss Safe Harbor to also be invalid. The FTC also sent warning letters to two other companies for falsely claiming to be participants in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules.