Enforcement of Privacy ShieldEnforcement of Privacy Shield
Private Sector Enforcement
Participating organizations are required to remedy problems arising out of a failure to comply with the Privacy Shield Principles. As part of their Privacy Shield obligations, participating organizations are required to have in place an independent recourse mechanism that is available to investigate and resolve individual complaints and disputes at no cost to the individual, as well as procedures for verifying compliance. Sanctions that the independent recourse mechanism can apply must be rigorous enough to ensure compliance by the organization; they should include publicity for findings of non-compliance and deletion of data in appropriate circumstances. The available sanctions may also include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance, and injunctive awards. If Privacy Shield organizations fail to comply with the rulings of the independent recourse mechanisms, the independent recourse mechanisms must notify the governmental body with applicable jurisdiction or the courts, as appropriate, and the Department of Commerce.
The Recourse, Enforcement and Liability Principle can be satisfied in different ways. Your organization can meet the requirements by complying with a private sector developed program that incorporates and satisfies the Privacy Shield Principles. If the private sector developed program, however, only provides for dispute resolution and remedies but not verification, then your organization will have to satisfy the verification requirement in an alternate way, such as through self-assessment. Your organization can also meet the requirements by committing to cooperate with the EU data protection authorities under the EU-U.S. Privacy Shield Framework or the Swiss Federal Data Protection and Information Commissioner under the Swiss-U.S. Privacy Shield Framework.
U.S. organizations that are subject to the jurisdiction of either the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may participate in the Privacy Shield program. The FTC and DOT have expressed, in letters to the European Commission (see FTC letter and DOT letter), their commitments to enforce the EU-U.S. Privacy Shield Framework. Similar letters have been sent to the Government of Switzerland (see the Swiss-U.S. Privacy Shield Framework). Additional information may also be found on the Privacy Shield page on the FTC website. Under the Federal Trade Commission Act, an organization's failure to abide by commitments to implement the Privacy Shield Principles may be challenged as deceptive by the FTC. The FTC has the power to prohibit such misrepresentations through administrative orders or by seeking court orders; violations of those administrative orders can lead to civil penalties of up to $40,000 per violation or $40,000 per day for continuing violations as of August 1, 2016. Similarly, failure by a U.S. or foreign air carrier or ticket agent that markets air transportation to abide by its public commitment to implement the Privacy Shield could be actionable under 49 U.S.C. 41712, which prohibits U.S. and foreign air carriers and ticket agents from engaging in “an unfair or deceptive practice” in the sale of air transportation that results or is likely to result in consumer harm. Violations of section 41712 can result in the issuance of cease and desist orders and the imposition of civil penalties of up to $32,140 for each violation as of August 1, 2016.
Persistent Failure to Comply
If an organization persistently fails to comply with the Privacy Shield Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Privacy Shield Principles will be removed from the Privacy Shield List by the Department of Commerce and must return or delete the personal information they received under the Privacy Shield.
Persistent failure to comply arises where an organization that has self-certified to the Department of Commerce refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails to comply with the Privacy Shield Principles to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of Commerce of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001). An organization’s withdrawal from a private-sector privacy self-regulatory program or independent dispute resolution mechanism does not relieve it of its obligation to comply with the Privacy Shield Principles and would constitute a persistent failure to comply.
The Department of Commerce will remove an organization from the Privacy Shield List in response to any notification it receives of the organization's persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a government body, but only after first providing 30 days’ notice and an opportunity to respond to the organization that has failed to comply. Accordingly, the Privacy Shield List maintained by the Department of Commerce will make clear which organizations are assured and which organizations are no longer assured of Privacy Shield benefits.
An organization applying to participate in a self-regulatory body for the purposes of requalifying for the Privacy Shield must provide that body with full information about its prior participation in the Privacy Shield.