EU Privacy Shield Year In Review: 2017

May 20, 2020, 09:00 AM by Bryant Fry

The first full year of the new Privacy Shield Frameworks was a success for the BBB EU Privacy Shield (BBB EUPS) program, its participants, and EU consumers alike. Reflecting on the progress we have made, and looking forward to the future, we have collected some of the significant developments and accomplishments in this year-in-review blog post.

Major growth.The ranks of BBB EUPS participants swelled during 2017. By January 2018, there were more than 750 participants in the program, out of a total of nearly 2,600 companies self-certified to the EU Privacy Shield Framework. April 2017 also marked the launch of self-certification under the Swiss-US Privacy Shield. By the end of the year, BBB EUPS had also assisted more than 400 of the 1,130 companies self-certified to this new Framework.

Last resort mechanism established. In the second half of 2017, the US Commerce Department worked to effectuate the “last resort” binding arbitration for EU individuals, described in Annex 1 to the Privacy Shield Framework. The option for binding arbitration is in place for those who have exhausted multiple redress options under Privacy Shield without satisfactorily resolving a privacy complaint. Formalizing this mechanism involved the selection of a panel of fifteen arbitrators, the establishment of an arbitral fund paid for by a one-time assessment on Privacy Shield participants, and the appointment of an administrator (ICDR-AAA) to manage the fund and arbitration process.

Successful annual review. In September 2017, the United States government, the European Commission, and several EU data protection authorities conducted a two-day review of Privacy Shield. Among the handful of invited private sector participants was BBB EUPS Director Frances Henderson, who discussed program operations and answered questions about the BBB EUPS 2016-2017 Procedure Report. In October, the European Commission released a positive report on the Annual Review, stating that Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to the US. A separate report was published by the EU Data Protection Authorities’ Article 29 Working Party in late November.

Ongoing refinements. The reports from the European Commission and Article 29 Working Party each offered recommendations to improve Privacy Shield in advance of the next Annual Review in 2018. These included suggestions to improve Privacy Shield oversight of commercial activities, notably in the areas of compliance monitoring and false self-certification claims. In addition, they noted the need to raise awareness among EU individuals about how to enforce their rights and submit complaints. BBB EUPS continues to work closely with the US Commerce Department, engaging directly with these concerns and striving for an ideal implementation of the Frameworks.

Preparing for evolving legal requirements. As 2017 wrapped to a close, many new and existing participants in BBB EUPS were busy refining their data privacy practices in anticipation of complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679). This has driven a surge in program growth as companies in the EU and the United States seek to align Privacy Shield and GDPR compliance in preparation for the May 25th, 2018 launch date. Many companies will rely on Privacy Shield as an adequate transfer mechanism that meets the GDPR requirement for transfers of personal data from the EU to the United States. Privacy Shield participants should also be aware that some other aspects of the new Regulation are already engineered into the Privacy Shield, which many companies think of as an “on-ramp” to full GDPR compliance. Companies that could be affected by this regulation may also want to be focusing on priorities such as: building a comprehensive framework of internal policies, developing a workable system of data protection impact assessments, appointing a DPO, preparing for cybersecurity breaches, tightening vendor agreements, and legitimizing international data flows.

Overall, 2017 was a productive year for Privacy Shield, laying a strong foundation for many years to come. But the BBB EUPS program will keep a weather eye on the horizon as EU data privacy law continues to develop. The proposed ePrivacy Regulation, Brexit negotiations, and pending CJEU decisions may all bring changes that impact Privacy Shield, either directly or indirectly. Stay tuned to this blog to keep track of these developments.

Suggested Articles

Blog

A Beginner's Guide to Reading Privacy Policies

Privacy policies are complicated and can be frustrating to read, especially when you are trying to learn about your child's data privacy online. The Children’s Advertising Review Unit (CARU) reviews child-directed online environments to ensure that children’s data is collected and handled responsibly. As a parent, follow these steps to take a proactive role in your child’s data privacy, using privacy policies as your guide to better understand an online service’s data collection practices.
Read more
Blog

Q&A: What is an SRO? A Beginner’s Guide to International Advertising Self-Regulation

Advertising is a cutting-edge industry, so it is no surprise that the ad business has been at the forefront of a global trend building for almost 60 years – independent industry self-regulation. In the U.S., the National Advertising Division is the industry’s widely recognized “truth-in-advertising” body, an independent third party that enables competitors to resolve disputes outside the courtroom. It is the self-regulatory organization (SRO) of the U.S. In this Q&A with Mary Engle, Executive Vice President, Policy, here at BBB National Programs, we dig into what industry self-regulation looks like in other parts of the world.
Read more
Blog

Substantiating Advertising Claims in Three Steps: A How-To Checklist for Advertisers

Substantiating advertising claims is important, both to comply with the law and to avoid regulatory scrutiny or a potential challenge from a competitor in court or in a proceeding before the National Advertising Division (NAD). NAD examines the fit between challenged claims and the substantiation provided. What follows is not legal advice but a basic one-two-three checklist for advertisers concerned about substantiating their advertising claims.
Read more
Blog

Six Tips to Properly Advertise Your Health and Wellness Claims

Although businesses can advertise the benefits of their products, all messages conveyed by the advertising must be supported by a reasonable basis. Failure to adequately support a health or wellness claim can quickly get a business into trouble. Recently, NAD and Faegre Drinker Biddle & Reath LLP presented a webinar event providing guidance on how to stay out of trouble when making health and wellness claims. We share six of the key takeaways discussed.
Read more