Happy Flag Day from Portsmouth, New Hampshire!
We've spent a lot of time in recent months discussing state and federal privacy law in this country ... and with good reason! There's a lot going on and a ton to keep up with, but I want to focus today on a few developments this week involving transborder data flows. As a side note, it's hard to believe it was less than three years ago that we were collectively focused on the fate of the EU-U.S. Privacy Shield agreement. Post-Obama presidency, the GDPR and CCPA, it seems like a distant memory.
Earlier today, the Federal Trade Commission today announced it is taking action against several companies that falsely claimed compliance with Shield and other international privacy agreements. Specifically, it reached a settlement with a background-screening company over false claims and sent warning letters to 13 other companies for allegedly making similar false claims.
Shield, along with standard contractual clauses, will also go on trial in the EU this July. Just in time for our Fourth of July celebrations here in the States, the General Court of the European Union (an arm of the Court of Justice of the EU) will hear a case against Shield. Three French-based organizations brought the case, which runs on similar logic to the so-called "Shrems I" case that eventually brought down the EU-U.S. Safe Harbor framework. The new complaint alleges the U.S. government is still permitted to conduct mass surveillance on EU citizens, though, according to a Hogan Lovells blog post, the organizations agree that the Shield is "a less vague scheme, and, implicitly, that it is more protective than Safe Harbor was ..." The other case involves SCCs. The now-famous "Schrems II" case, which was referred to the CJEU by the Irish High Court, includes 11 questions about SCCs and whether they offer an adequate level of protection for data transferred to the U.S. from the EU. Huge consequences here in both cases.
On more positive transborder data flow news, the IAPP's Joe Duball recently caught up with a representative from the U.S. Department of Commerce’s International Trade Administration to discuss the naming of a new accountability agent in the Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules program. As the second U.S.-based agent, Schellman now joins TrustArc subsidiary TRUSTe. Schellman Principal Debbie Zaller, CIPP/US, told Joe that "It fits right in with our other services." She added that "it creates a lot of opportunity for all." Along with TrustArc, including more accountability agents may help get "the word out in the world about APEC and what the certification can do for organizations." This may well be a positive step for getting more CBPR adoption.
If you want to comment on this post, you need to login.