The US-EU Privacy Shield agreement is supposed to protect personal data transferred from the EU to the US. The Privacy Shield agreement has come under heavy criticism. On April 6, the European Parliament adopted a resolution criticizing Privacy Shield.
The Federal Trade Commission (FTC) is the main US government agency tasked with investigating and enforcing compliance with the Privacy Shield agreement. Last week, I sent the FTC a series of questions about Privacy Shield. Most surprising of the FTC’s responses is that the FTC admits that it has no employee solely assigned to Privacy Shield enforcement. Instead, the FTC has about 40 people in the Division of Privacy and Identity Protection, who must also focus on enforcing numerous other federal laws. The FTC also refuses to disclose if there are any active or closed investigations into Privacy Shield compliance. There is a real possibility that the FTC has not initiated any Privacy Shield investigations, but it is impossible to know since the FTC refuses to disclose.
It is also surprising that the FTC quotes its Chair Ohlhausen as being a staunch advocate for Privacy Shield, even though she also opposed the FCC’s broadband privacy rules.
FTC Q&A on Privacy Shield
1) For the fiscal year 2017, how many FTE (full time equivalent) employees have been assigned solely to Privacy Shield investigation and enforcement?
A: We have staff of about 40 people in our Division of Privacy and Identity Protection. These attorneys enforce a variety of laws, including the FTC Act, COPPA, GLB, and the FCRA. They also put together workshops, draft reports, blogs, speeches and testimony, stay current on privacy and security issues, and conduct Privacy Shield investigations. Although most of these people have worked on Privacy Shield issues, we have not assigned anyone to solely conduct Privacy Shield investigations. Staff from other parts of the agency also provide technical and investigative support on particular matters, and support for general operations, as appropriate.
2) How does the FTC plan to investigate and enforce Privacy Shield compliance?
A: Acting FTC Chairman Maureen K. Ohlhausen said in a speech last month that “Enforcing international privacy frameworks such as Privacy Shield is an integral part of our Data Security and Privacy program. We have used our authority to take action against nearly 40 companies for deceptively misrepresenting compliance with the predecessor Safe Harbor program, including Google and Facebook. We have also enforced against four companies that misrepresented their participation in the APEC Cross-border Privacy Rules System – a framework designed to facilitate data transfers in the Asia-Pacific region. Based on this background, our deep history of privacy enforcement, and our commitment to interoperable international privacy frameworks, we will vigorously enforce the Privacy Shield Framework. We have committed to investigate Privacy Shield companies on our own initiative. We will prioritize referrals from European Data Protection authorities. And we will monitor our orders to ensure compliance with the Framework. When companies don’t comply with orders, we will bring enforcement actions.”
3) As of April 4, 2017, how many active investigations on Privacy Shield compliance does the FTC have?
A: By law, FTC investigations are non-public, and we do not comment on any investigations or the existence of any investigation, except as otherwise authorized by our rules.
4) As of April 4, 2017, how many closed investigations on Privacy Shield compliance does the FTC have?
A: See answer above.
5) As of April 4, 2017, how many individual complaints has the FTC received on Privacy Shield compliance?
A: I understand you have requested that information from our FOIA Office, and they should be responding to that request soon.
Article by Rachael Tackett
Updated on April 12, 2017 at 10:35pm EST to clarify that there are about 40 people within the FTC’s Division of Privacy and Identity Protection.