Trans-Atlantic criticism of US Privacy Shield enforcement could prompt changes
24 January 2020. By Mike Swift and Matthew Newman.
Five recent EU-US Privacy Shield violations alleged by the US Federal Trade Commission typify the regime's enforcement history that has often focused on smaller companies committing procedural violations of the international data-transfer mechanism.
The FTC's Privacy Shield allegations this month against DCR Workforce, Thru, LotaData, 214 Technologies, and EmpiriStat — the companies are hardly household names — don't allege a substantive practice that violated data-protection principles.
The allegations against all five are procedural. The FTC reached settlements with the companies on its allegations that they falsely claimed to be certified under the EU-US data transfer framework. The FTC said they had failed to complete the necessary forms and disclosures required to obtain that certification.
A review of Privacy Shield's enforcement by the FTC reveals few cases against large, publicly traded companies with substantive violations of the 23 data-protection principles that form the basis of the Privacy Shield framework. But that could change. Increasingly within the FTC, there is an internal debate which is only now becoming public over whether procedural enforcement cases brought against small companies are an effective use of the FTC's limited enforcement budget.
"There are real law violations," FTC member Rebecca Slaughter told MLex this week. "But when there are so many problems on our docket that affect American consumers, we must make sure we are spending our limited enforcement dollars in places that have the biggest bang for the buck for the American consumer. It's not clear to me that these cases always deliver that."
European data-protection regulators, and some members of the European Parliament, are also starting to more vocally criticize Privacy Shield enforcement, saying the current system is failing to enforce basic data-protection principles baked into law such as the European Union's General Data Protection Regulation, or GDPR.
With unhappiness on both sides of the Atlantic, pressure is likely to continue to grow for changes in how the Privacy Shield is enforced in advance of the next annual review this fall.
— European criticism —
More than 5,000 companies have pledged to follow Privacy Shield principles since the data-transfer framework launched in 2016, replacing the earlier Safe Harbor data-transfer scheme that was scuttled by a European Court of Justice decision in 2015. About 70 percent are small or mid-size businesses, according to the US Department of Commerce, which oversees Privacy Shield with the FTC.
The framework is an essential tool for the smooth transfer of data across the Atlantic. If companies lose the mechanism, they would have to find cumbersome alternatives, such as privacy-enhancing clauses in contracts or binding corporate rules. An EU court is considering whether these mechanisms are valid and protect EU citizens' fundamental rights. A decision is due this year.
Under the current system, the Commerce Department refers potential Privacy Shield violations to the FTC for investigation. The two-agency shuffle isn't an effective system, say those familiar with the specifics, because early-stage startups that may be too small to have legal staff are more likely to ignore the compliance warnings from the Commerce Department that arrive by e-mail or the US Postal Service.
A pattern of enforcement being limited to procedural violations by small companies was highlighted in a recent report by the European Data Protection Board.
Lisa Marie Lange, a member of the EDPB, told members of Parliament Jan. 9 that US enforcement hasn't tested whether US companies are complying with foundational principles of the GDPR, and not just focusing on issues like the timeliness of a company's recertification process. She spoke at a hearing in Brussels this month in which members of Parliament attacked the European Commission for giving another clean bill of health to the EU-US data transfer agreement this year.
"In other words, there's not really substantive checks on what happens to the data that has been transferred under the Privacy Shield," Lange said. "Since there do not seem to be complaints that trigger these kinds of checks, the vast majority of processing under the Privacy Shield remains unchecked."
Privacy Shield is a critical agreement for US Internet giants because it is what allows them to access and transfer the personal data the world's largest bloc of consumers in developed nations: the 500 million people in the European Union. As a result, Privacy Shield is a bridge between a system where privacy is a fundamental human right to one where it is an economic, consumer-protection issue — a bridge that touches the economic, regulatory and social tensions between Europe and the US.
Privacy Shield is built on 23 data protection principles, starting with the basic principles of notice and choice that require companies to tell consumers they are collecting personal information, and give them the opportunity to opt out of sharing of that data with third parties.
Few of the FTC's enforcement actions have been based on the violation of those 23 principles, however. While there are a few exceptions where consumer-facing companies have been sanctioned for violating those principles, they are relatively rare.
A look back through recent FTC Privacy Shield cases reveals a long list of anonymous, small startups which committed procedural stumbles, such as Medable, SecurTest, and ReadyTech. Nor were a 2018 crop of alleged Privacy Shield violators — IDmission, mResource, SmartStart Employment Screening and VenPath — likely to appear on the Fortune 500 list any time soon.
— Pressure for Change —
The FTC says it does prioritize substantive violations of Privacy Shield. The fact that most companies cited for violations have been small is due in part to the fact most of the companies that use the data-transfer system are small.
"Every time we open an investigation, we look to see if a company is a member of Privacy Shield, and we ask questions about substantive compliance," the agency said in a statement from a spokeswoman. "In addition, we have conducted sweeps of Privacy Shield participants to ask questions about substantive compliance. As to the size of our enforcement targets thus far, given that substantial numbers of small businesses use Privacy Shield, it is no surprise that many of our cases involve smaller companies."
Slaughter isn't the only member of the FTC concerned about whether the current enforcement system is effective, MLex has learned.
Meanwhile, Slaughter wants more emphasis on substantive violations by larger companies that have the organizational capacity to know better.
"I think doing Privacy Shield enforcement is important," she told MLex. "But as a prioritization question, we have very limited enforcement dollars. Even just in the privacy space, I want to focus on companies that are large, control a lot of data, and commit substantive violations of the Privacy Shield principles."
In Brussels, frustration over the lack of enforcement and weak oversight of the Privacy Shield spilled over during the parliament hearing. Sophie in 't Veld, a Dutch member of the center-right Renew Group, criticized the European Commission for giving the agreement an all-clear during its latest annual review.
"This isn't the way that we can protect our citizens, and this doesn't even take the EU seriously. We make laws, and we negotiate with the US and we give it all away," she said. "And then we only timidly ask whether they would be so kind as to at least a little bit live up to what we agreed."
One exception was Cambridge Analytica, the notorious political data-mining company that acquired the personal data of about 87 million Facebook users, and used that data to try to sway votes in the 2016 US presidential election. As part of the FTC's overall settlement with Cambridge Analytica, the enforcer said the now-bankrupt company violated the EU-US Privacy Shield, as well as a similar data-transfer agreement between the US and Switzerland.
But while the FTC issued a 5-0 opinion in December that Cambridge Analytica violated Privacy Shield, the violation was a procedural failure to keep its Privacy Shield certification current and to affirm to the Commerce Department that it would follow the Privacy Shield principles — even though Facebook has said that Cambridge Analytica violated its terms of service in obtaining user data.
The FTC is taking on one sizable company that it accused of substantive Privacy Shield violations — Nevada-based RagingWire Data Centers — which the FTC sued in its administrative court in November. RagingWire is a unit of NTT Global Data Centers, a public company with 40,000 employees and $11 billion in annual revenue.
RagingWire is fighting back, moving unsuccessfully in December in the FTC's administrative court to dismiss the FTC's allegations that RagingWire failed to maintain a dispute-resolution process for consumers who had privacy complaints about the company. Slaughter wants to see the FTC pivot to cases like RagingWire, where companies with significant resources allegedly failed to comply with international data protection principles.
"If we had unlimited resources and could enforce every law violation out there, maybe it would make sense," she said of the current system aimed at procedural violations. "But if it's resources that are coming out of something else, the question is: For whose benefit?"