Privacy ShieldFTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

FTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

The invalidation of the Privacy Shield by the recent Schrems decision has left businesses scrambling as to their data transfers abroad.  The FTC can be looked at as a source of guidance for businesses grappling with data transfers in this uncertain landscape.   

In July, the European Union Court of Justice (CJEU) issued the Schrems II (C-3111/18) decision, invalidating the EU-US Privacy Shield Framework.  The EU-US Privacy Shield was a mechanism used to allow United States businesses to transfer and store European Union personal data in the United States.  The ruling in this case renders the United States an inadequate country without special access to Europe’s personal data streams.  However, while the Privacy Shield has been declared invalid, the CJEU ruled international data flows under the General Data Protection Regulation (GDPR) can continue under EU Standard Contractual Clauses.  The continuation under the Standard Contractual Clauses calls into question the future of international data flows between the United States and the European Union.  

Despite the Schrems II decision invalidating the Privacy Shield Framework, here in the United States, the Federal Trade Commission (FTC) will continue to hold companies to its principles.  With broad civil enforcement authority to promote consumer protection and competition in the commercial sphere, the FTC will hold companies accountable for violating international data commitments to protect data transfers across the Atlantic Ocean, despite the framework being rejected, including adherence to the following principles:  

  1. Notice of participation, types of data collected, and purposes for the data collected. 
  1. Choice of individuals to opt out or consent to types of data being collected. 
  1. Companies taking accountability for onward transfers of personal data collected by third parties while complying with Notice and Choice Principles. 
  1. Companies taking reasonable and appropriate security measures to mitigate risks associated with maintaining personal data collection. 
  1. Ensuring data integrity and purpose legitimation to confirm data is reliable and compatible for collected purposes. 
  1. Ensuring individuals have access to the personal data organizations hold. 
  1. Incorporating robust mechanisms to ensure company compliance and recourse for individuals who fall victim to noncompliance procedures. 

FTC commissioners agree that there should be a national data privacy law regarding online privacy and that there is increased attention on the need for broader data privacy policy that would allow the FTC to impose civil penalties, adapt with changing technology, and to hold non-profits and carriers accountable under the Privacy Shield Framework that were previously beyond the FTC’s enforcement powers.  The FTC has broad civil enforcement authority to promote consumer protection and competition in the commercial sphere.  

Data security and privacy continue to be a major part of ongoing antitrust investigations on technology platforms.  Europe is determined to provide strong privacy protections, hinting that data security is one of its key priorities relating to the exponential growth in data collections. Although the Privacy Shield is no longer a viable mechanism to comply with EU data protection requirements, the US is not relieved of its prior obligations.  

We encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they accurately describe their privacy practices, including with regard to international data transfers.  

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address any related data privacy legislation and be the appropriate legal counsel to help your company better understand the legal implications surrounding transatlantic data information transfers.  

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our Newsletter.

BrazilBrazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

Brazil’s New Privacy Law: What Your Business Needs To Know

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection law that creates a legal framework for the use of personal data that is processed or related to individuals in Brazil. The LGPD is largely aligned with the EU’s General Data Protection Regulation (GDPR), one of the  toughest privacy and security laws in the world that imposes obligations on organizations that target and collect data from subjects in the EU. Similarly, the LGPD is a comprehensive approach to personal data protection for individuals in Brazil. The LGPD goes into effect on August 16, 2020.

Does the LGPD Apply to My Business?

The LGPD applies to any business, regardless of its location in the world, that processes personal data of the people of Brazil, personal data collected in Brazil, and personal data associated with the offering of goods or services in Brazil. Personal data is broadly defined by the LGPD to include any information related to an identified or identifiable natural person. Personal data can include names, identification numbers, online identifiers and locators, or can extend to psychological, mental, or economic facts. Anonymized data is not considered personal data. Similar to the GDPR, an organization must have a valid basis for processing personal data under the LGPD. The LGPD also grants Brazilian residents a number of rights over their personal data including access to personal data, deletion of personal data processed with consent, and access to information about entities with whom the organization has shared the individual’s personal data.

There are a few exceptions to the LGPD, namely:

1. Data processed by a person strictly for personal reasons,

2. Data processed exclusively for journalistic, artistic, literary, or academic purposes, and

3. Data exclusively processed for national security, national defense, public safety, a criminal investigation, etc.

Other fundamental rights under the LGPD include:

• Right to confirmation of the existence of the processing

• Right to correct incomplete, inaccurate, or out-of-date data

• Right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD

• Right to the portability of data to another service or product provider, by means of an express request

• Right to information about possibility of denying consent and consequences of such denial, and

• Right to revoke consent.

Similar to what we have seen under other privacy paradigms such as the GDPR, CCPA and NY Shield Act, the LGPD requires controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access. Organizations, in most cases, must appoint a data protection officer responsible for receiving complaints and communications. Additionally, organizations are responsible to report data breaches to the Brazilian authorities and notify the data subject in a “reasonable amount of time” if the breach is likely of risk or harm. If necessary, the National Data Protection Authority can order the controller to adopt privacy protection measures to mitigate the effects of the incident.

The LGPD is not as punitive as the GDPR in sentiment and financial penalties. The LGPD establishes fines of up to 2% of a company’s sales revenue of up to 50 million Brazilian Real, equaling $12,894,500 USD, or 11.2 million Euros. This is compared to the GDPR’s 4% of revenue, up to 20 million Euros per violation.

Brazil’s newly implemented law, reminiscent of the GDPR, requires compliance with strict requirements related to the processing of personal data. Beckage’s team of highly experienced attorneys can work with your business to evaluate whether, and to what extent, privacy laws such as the LGPD, GDPR, CCPA and NY Shield Act apply. Understanding what data your business is collecting, how it is being processed, and with whom that data is being shared are just some of the critical questions that need to be explored with counsel.  Our Beckage team can help you align with the LGPD’s business requirements while implementing controls and mitigating risk.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

SecurityEU-US Privacy Shield Invalidated: Schrems II Decision Released

EU-US Privacy Shield Invalidated: Schrems II Decision Released

Yesterday, the Court of Justice of the European Union issued the long-awaited decision in Schrems II (Case C-311/18) in which it invalidated the EU-US Privacy Shield data transfer mechanism.  The Court’s decision was based on ongoing concerns that the American surveillance programs, as initially revealed by Edward Snowden, undermine the guaranteed privacy rights of EU-based individuals under Europe’s General Data Protection Regulation.  

Among the takeaways of the decision:

• Privacy Shield Invalidated; immediate effect on Privacy Shield certifications is unknown, although some grace period is expected.

• Immediate disruption in international data transfers where prior basis for such transfers has been invalidated.

• Use of Standard Contractual Clauses remains valid, for now.  However, the Court expressly requires importers and exporters relying on SCCs to verify the legal systems and adequate safeguards in place in the receiving organization’s country.

• Expect to see increase use in Binding Corporate Rules (BCRs), though these can only go so far as they are used for intra-organizational or joint company transfers.

• Expect to see increase use of Data Processing Agreements as organizations rely on contractual basis for consent.

• Organizations must evaluate other bases for transfer, to include consent.  

While the use of Standard Contractual Clauses (SCCs) is allowable, for now, their long-term fate has been called into question by the decision.  Following release of the Schrems II decision, the Irish Data Protection Commission, issued a  statement: “[…] it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.” It adds that the issue “will require further and careful examination, not least because assessments will need to be made on a case by case basis.”

Of note, the Schrems II decision does not concern so called ‘necessary’ data transfers.  Rather, this decision involves the bulk outsourcing of data processing from the EU to the US (typically undertaken for cost/ease reasons).  Accordingly, the impact of the decision may be that more and more companies switch to regional data processing companies for European users.

One thing is clear: the impact of the Schrems II decision will have a significant impact on organizations which rely on the Privacy Shield for international data transfers.  These organizations will need to quickly evaluate data transfer activities and determine whether alternative transfer bases exist.  

Beckage works with clients to evaluate bases for international data transfers, including the use of DPAs, SCCs and on the development of Binding Corporate Rules.  Beckage’s attorneys include dedicated information privacy professionals (CIPP/US) and (CIPP/EU), as certified by the International Association of Privacy Professionals.  

The Schrems II decision is found here:

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.