publications full of ideas

With Your Shield Or On It

The FTC Steps Up Privacy Shield Enforcement


Three years ago, the European Court of Justice killed the US-EU Safe Harbor Program. In the wake of the decision, American and EU negotiators developed the “Privacy Shield” program to facilitate cross-Atlantic data transfers. The Department of Commerce and the Federal Trade Commission (FTC) were designated to regulate the American side of the program.

American regulators came under fire last summer, when the EU Parliament complained that they had not been aggressive enough in their oversight. EU Justice Commissioner Věra Jourová raised similar concerns with Secretary of Commerce Wilbur Ross. Perhaps in response, the FTC has brought a number of actions against companies for Privacy Shield violations.

The Privacy Shield program relies on a self-certification process. Privacy Shield compliant-companies commit to stringent privacy safeguards. The safeguards include restrictions on further transmission of data, cooperating with an Ombudsman, data security standards, notice, and consumer choice.

The FTC alleged that the offending companies had not met these requirements. Some did not complete the certification procedure. Others simply let their certifications lapse. Yet all continued to hold themselves out as Privacy Shield compliant. The FTC viewed this inaccuracy as a “deceptive” action that violates the FTC Act. 

Consequently, the FTC proposes to penalize these violations with various sanctions: companies will be barred from misrepresenting their participation or compliance with the Privacy Shield program. They must agree to adhere to FTC reporting requirements. They must agree to delete improperly collected data. Full Privacy Shield protections will apply to remaining data. The FTC may also require monitoring or additional safeguards.

These sanctions, together with any monitoring requirements, mean that the FTC has now acted against eight companies for Privacy Shield violations. It promises to “continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.” Whether this suffices to meet EU standards is undetermined. For now, companies needing to vet their Privacy Shield compliance program, or cross-border data mechanism, should consult with counsel.

Saad Gul, editor of NC Privacy Law Blog, is a partner with Poyner Spruill LLP. He advises clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

2019 Charlotte Employment Seminar: Navigating Risks in the Workplace


Wednesday, May 15th at 2 P.M. Join us as we discuss the impact of #metoo and managing risks in retirement plans.

Employee Benefits Day Webinar: Executive Compensation


Attracting and retaining executives and key employees is critical to an organization's success. As a result, offers of employment often come with special perks and promises. These additional benefits are essential in attracting the executive, but can create unintended liabilities. This session will identify common issues associated with executive compensation arrangements, discuss the potential liability, and provide practical tips to allow you to spot potential issues before they become liabilities.

Poyner Spruill’s First Ever NCAA Tournament Party


This year we will be hosting our first annual NCAA Party!

Mayo named Client Choice Award winner in North Carolina


RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield


How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.