The ‘Privacy Shield’ Is Here — How It Affects You

There’s a new framework for creating greater data privacy between the United States and the European Union. While it’s taken two years of work, some would argue little has changed and that it’s likely to get struck down — others laud the progress. Let’s get clarity on what that means for businesses leveraging data “across the pond.”

Privacy ShieldThere’s a new framework for creating greater data privacy between the United States and the European Union. While it’s taken two years of work, some would argue little has changed and that it’s likely to get struck down — others laud the progress. Let’s get clarity on what that means for businesses leveraging data “across the pond.”

Transatlantic Data Privacy Is Dead. Long Live Transatlantic Data Privacy.

First there was SafeHarbor, the European Union-United States agreement to protect data privacy of users in Europe as that data pulsed across the Internet and into the United States. It was arguably a historic step, but it ultimately was struck down and eliminated. Many questioned its value beyond being “a step.” It has now been replaced by the “EU-U.S. Privacy Shield,” which imposes greater obligations on U.S. businesses to protect Europeans’ personal data.

The Privacy Shield Agreement establishes a whole new set of legal requirements by the E.C.J. the European Court of Justice, which also ruled the previous Safe Harbour framework invalid.

What Is the Privacy Shield?

First and foremost, the Privacy Shield is opt-in. If your business doesn’t opt-in, you don’t have to abide by it. The downside, you won’t be published on the “list” of Privacy Shield Compliant companies. European consumers could refuse to do business with you, and it could become a media problem — though, the average consumer probably doesn’t know the ins and outs of data privacy. So its success will, in part, rely on its adoption. If it is not adopted widely, we can expect additional regulations to compel organizations exporting data from the E.U. to meet the objectives of the Privacy Shield.

Most importantly however, the Privacy Shield includes, for the first time, written commitments and assurance regarding access to data by public authorities. For the first time, the United States has given written assurances that it will not conduct mass surveillance of data entering the U.S.

The new Privacy Shield agreement requires the U.S. to “monitor and enforce” more aggressively. Also, new and greater collaboration with the E.D.P.A., the European Data Protection Authorities, is required by the United States.

The goals of both the original Safe Harbor Agreement and the new Privacy Shield are quite similar. Businesses must treat data created in the E.U. in accordance with E.U. law, regardless of whether that data is physically stored on a server in New York or Paris.

So how do companies accomplish this? The answer is by basically stating “yes, we meet the E.U. standards.” So not much has changed between Safe Harbor and Privacy Shield here.

How Do the Safeguards in the Privacy Shield Work?

However new safeguards help enforce that both companies and governments abide by the Privacy Shield’s requirements:

  • The first difference is a real one … it now falls on the shoulders of the U.S. Department of Commerce to make sure that companies meet the more stringent data privacy requirements. The Department of Commerce will monitor whether companies publish their commitments, which makes them enforceable under U.S. law by the U.S. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
  • Second, if your data originates from the European Union ― and you don’t have to be a European (the U.K. is still covered post “Brexit”) ― you can complain if you feel your privacy rights were violated. Those complaints will now be sent to the U.S. and must be addressed “expeditiously” and at “no cost to the individual.”
  • In the agreement, the United States “ruled out indiscriminate mass surveillance on personal data transferred to the U.S.” Furthermore, the U.S. promises in writing that mass collection of data originating from the E.U. will “only be used under specific pre-conditions and needs to be as targeted and focused as possible.”
  • An ombudsperson will now handle complaints about data that is accessed on “national security grounds” — they are tasked with working independently of all other federal security agencies, which is a significant commitment for the United States, given our recent history and experiences under the Patriot Act.

Implementation for U.S. Firms in Simple Terms

At this juncture there are still details being worked out in the Privacy Shield Framework, but the following are fairly clear steps:

  • Self-certify annually that they meet the requirements
  • Display privacy policy on their website.
  • Reply promptly to any complaints.

Some might call all this common sense, some may call it non-sense. But Data Privacy is an issue that we have to give credit for addressing, and leveraging the learnings from the judgement striking it down.

We recommend businesses leveraging personal data, whether exporting from the E.U. or solely using it domestically, exercise some simple, common-sense steps that are consistent with the Privacy Shield:

  • Publish a privacy policy.
  • Listen to your customer
  • Have a clear and simple statement on how you will use consumer data – and how you won’t.

These simple steps can get you started; and for sure, there will be more to come in regard to data privacy.

Be Warned of the “Professional Plaintiff”

A client recently received the ultimate “shakedown” letter—claiming violation of the California CAN-SPAM law as a result of getting eight emails, demanding $80,000 in statute-mandated damages, yet willing to settle for $2400. Unfortunately, this has become a cottage industry. The California law has a private right of action that has been taken advantage of by a few noteworthy legal vigilantes. Their actions have created a template for the “shakedown.”

[Editor’s Note: Gary Hennerberg is traveling this week, but attorney Peter Hoppenfeld has stepped in to supply this week’s blog.]

A client recently received the ultimate “shakedown” letter—claiming violation of the California CAN-SPAM law as a result of getting eight emails, demanding $80,000 in statute-mandated damages, yet willing to settle for $2400.

Unfortunately, this has become a cottage industry. The California law has a private right of action that has been taken advantage of by a few noteworthy legal vigilantes. Their actions have created a template for the “shakedown.”

To add insult to injury, the “professional” victim opted-in herself for each of the lists that she claims issued a spam email. I’m fairly sure that she probably has a cyber-ambulance chasing attorney ready to pounce on a contingency basis.

What do you do?

The American Corporate Counsel Association has issued a white paper that is very helpful. Seems like the SPAM demand toolkit left out one key defense—if your ISP has reasonable processes in place to prevent spamming, the statutory damages in California are reduced from $1000 to $100 per occurrence.

Quoting my letter:

First, it is clear that you are following a textbook (albeit outdated) approach of a “professional plaintiff” under the California anti-spam law. Attached is a copy of a White Paper prepared by the Association of Corporate Counsel that clearly rebuts each and every point that you have raised in an attempt to coerce my client to pay you monies.

We are in possession of proof that you opted into a number of email lists as proof that these emails are not unsolicited. Even if unsolicited, all of my client’s emails contain compliant opt-out links and you have not elected to take advantage of that option.

The element of the California law that you conveniently ignored is Section 17529.8 which reduces the potential statutory damages to $100 per occurrence. Please note:

” … working with reputable email service providers (ESPs), advertisers can be more confident that recipients did opt-into receive commercial email. ESPs generally maintain or can produce evidence of each opt-in, in the form of IP address from which the consumer opted-in, date/time stamp of opt-in, and other information. {NOTE: ALL IN OUR POSSESSION.}

While plaintiffs may contest the veracity of such evidence in a proceeding, once the evidence is produced, the burden to show it is inaccurate generally shifts to the plaintiff [NOTE: WE ARE UNAWARE OF ATTORNEYS WHO WILL TAKE A MATTER ON CONTINGENCY WHEN THERE ARE BURDENS OF PROOF SUCH AT THIS.}

More importantly, statutory damages under the Code of $1,000 for each spam are reduced to $100 for each spam, when there is evidence that a defendant established and implemented practices and procedures reasonably designed to effectively prevent spamming. {NOTE: SUCH PRACTICES AND PROCEDURES ARE IN PLACE.}

Accordingly, we deem your demand a “shake down” and a nuisance, and to save time and expense offer you the sum of $800 in full and final settlement of this matter. No monies will be provided to you unless you agree in writing: that no Spam violation took place; to maintain the terms of this arrangement confidential; and to agree to a penalty of $10,000 if it is determined that in the future you are engaged in any attempt to assist others to assert this type of claim against my client.

The matter settled, but the complainer remained indignant. Unbelievable.

Key takeaways:

  • Have a complete understanding of the CAN-SPAM laws.
  • Use an identifiable “from” email, a non-deceptive subject line, include a physical address, provide for an opt-out link and remove people who opt-out within 10 days.
  • Even more importantly, if affiliates are mailing for you, make sure they “scrub” their lists against your Suppression list.

Good Luck All. It’s a jungle out there.

Peter Hoppenfeld is an attorney and adviser in the representation of direct marketers, speakers, authors, information marketers, “thought leaders,” entrepreneurs and domestic and international training companies and their founders. Reach him at peterhoppenfeld.com.

DMA International E-mail Guide Available

Did you know that “forward-to-a-friend” or “member-get-member” marketing techniques in e-mail are currently permitted in Argentina, Hong Kong and Israel, but not in Hungary or Poland? Or that while Canada does not have legislation specifically addressing the issue of e-mail marketing, key legislation for e-mail marketers is the federal privacy law, or PIPEDA. Or that in China there is no legal definition or best practice that specifically defines “opt-in?”

Did you know that “forward-to-a-friend” or “member-get-member” marketing techniques in e-mail are currently permitted in Argentina, Hong Kong and Israel, but not in Hungary or Poland? Or that while Canada does not have legislation specifically addressing the issue of e-mail marketing, key legislation for e-mail marketers is the federal privacy law, or PIPEDA. Or that in China there is no legal definition or best practice that specifically defines “opt-in?”

These were just a few of the facts I learned thumbing through the Direct Marketing Association’s very useful International Email Compliance Resource Guide. The book is a compendium of e-mail marketing regulations and practices for individual countries.

The report is valuable for two reasons:

  • International e-mail marketing is growing. Many companies today are looking for new opportunities to market their products and services abroad while the economy here is in the doldrums.
  • To my knowledge, there really isn’t easily accessible information of this nature available on the subject of international e-mail laws.

Here are some of the topics the DMA touches on in the guide:

  • affirmative consent;
  • legal definition of opt-in;
  • forward-to-a-friend;
  • privacy policy in e-mails; and
  • other best practices.

For the guide, the DMA developed a questionnaire targeting key areas of legislation regarding e-mail regulations and data protection. The questionnaire was then administered to preselected respondents who were knowledgeable about their country’s e-mail laws.

Responses varied from country to country based on the questions they answered. In cases where no questionnaire was submitted, a link to the relevant law is provided as well as contact information for local DMAs and/or departments of data protection.

I strongly suggest you check it out. To do so, click here.