Beware of Self-Imposed Requirements. Are You Meeting the Mark? 

By Antonia Dumas, Consultant at XPAN Law Group LLC

We have made it clear time and time again that data privacy should be made a priority in your business – and many businesses are taking that advice and running with it. Good for you! But, beware of the high-standards and requirements you are setting up for your business and make sure you are taking the steps necessary to actually meet those standards and requirements.

Joining An Existing Framework

When establishing security and privacy compliance framework for your business, it can be challenging to determine which frameworks or mechanisms you should look to as a reference. In some cases, it may seem advisable to choose a good looking framework and incorporate it into your existing policies to short-cut the steps needed to demonstrate compliance. However, just referencing a framework or a set of principles within your company’s existing policies is not enough. A strong compliance framework includes not just high-level policies, but specific policies addressing privacy and security measures and detailed procedures to ensure you are actually meeting the standards you have committed to in your policies. 

Certain Frameworks Require Self-Certification 

With the extensive requirements of the GDPR looming over companies heads, it may seem easy to seek out simpler ways to demonstrate compliance for data transfers from Europe. For example, the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks require self-certification to compliance with their principles and requirements. The EU-U.S. Privacy Shield Framework is a cross-border mechanism used to comply with data protection requirements when transferring personal data from the European Union to the United States. (See Privacy Shield Package). Note, the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield Frameworks are separate but part of the same Privacy Shield program for cross-border transfers. Businesses in the United States can choose to join one or both of the Frameworks and the substantive requirements are the same. 

The EU-U.S. Privacy Shield Framework protects the rights of anyone in the EU who has personal data transferred for commercial purposes. When joining the EU-U.S. Privacy Shield a business can then benefit from adequacy determinations that permit cross-border transfers and are considered consistent with EU law without implementing additional safeguards. These adequacy determinations come from the European Commission who has the power to determine whether a country outside the EU offers an adequate level of data protection. The European Commission has recognized the United States under its adequacy determinations but limited to the Privacy Shield Framework. 

Although joining the Frameworks is voluntary, once a business makes a commitment (i.e., self-certifies) to comply with the Framwork’s requirements, this commitment is then enforceable under U.S. Law.  The Federal Trade Commission (FTC) is charged with the enforcement of the Framework and has made it a priority among its enforcement efforts to protect consumer privacy. Basically, a company is voluntarily submitting itself to the jurisdictional of the FTC to confirm its privacy and security compliance (a key fact to be aware of when deciding whether to self-certify). 

There are several cases where the FTC is pursuing enforcement of compliance and may help guide businesses on how to keep themselves Privacy-Shield Compliant. Takeaways from these FTC cases include: 

(1) Complete the Process: 

Make sure you have completed the certification process with the Department of Commerce (e.g., submitting an application was not enough for DCR Workforce, Thru,Inc., LotaData, and 

(2) Maintain Compliance: 

Keeping your certification up-to-date (e.g., business must meet the annual recertification requirement and are not permitted to allow their certification to lapse like EmpiriStat while still stating they were adhering to the Privacy Shield Principles).

(3) Do Not Misrepresent: 

Make sure you are not making any false claims of compliance with Privacy Shield requirements as these are considered prohibited deceptive practices (all cases).

All of these cases have proposed settlements that prohibited the misrepresentation of the extent of their participation in any privacy or data security program “sponsored by a government or any self-regulatory or standard-setting group). 

The FTC does not take misrepresentations lightly. Just this month we saw the FTC continue to target companies that seem to mislead consumers on their participation in the EU-U.S. Privacy Shield framework. RagingWire Data Centers, Inc. (a Nevada data storage services company) allegedly claims in its online privacy policy to participate in the Framework and to have complied with the program’s requirements. The FTC alleges that company allowed its certification to lapse even when they were warned to take steps to recertify their participation. The FTC also alleges that the company failed to meet the requirements of  participation in the Framework by failing to complete annual recertification, maintaining a dispute resolution process for complaints and to meet the requirement of affirming continued protection of the personal data collected while participating in the framework. The current proposed settlement, like the other cases discussed above, also include a provision prohibiting misrepresentation of participation in privacy and data security programs as well as requiring the company to comply with FTC reporting requirements. 

Certain Regulations Require Self-Certification 

Also, be aware that certain state regulations may require self-certification of compliance with regulatory requirements. The most well known are the self-certification requirements in New York (under the New York Department of Financial Services (NYDFS) issued cybersecurity regulations). The law NYDFS regulations require that a covered entity proactively establish and maintain a cybersecurity plan and provide annual certifications of compliance. These self-certifications carry with them not only requirements on the business to adhere to what they have certified but also impose personal liability. An individual (the chairperson of the board of directors or senior officer) certifies that they have reviewed all the applicable documents for their company (and their vendors) that are necessary to certify continued compliance on behalf of the company and can be held personally liable for such certification. 

Tips for Developing Your Own Compliance Framework 

  1. Determine what data you are collecting, processing, storing, etc. (e.g., complete a Data Categorization). 
  2. Determine what level of risk is associated with your data (e.g., complete a Risk Assessment and Gap Analysis to determine potential regulatory obligations).
  3. Determine your regulatory obligations and the best practices/standards your business wants to meet.
  4. Develop, implement and continuously review your compliance framework/program incorporating these standards and regulatory obligations.
  5. Ensure you are meeting applicable certification obligations where required. 

XPAN assists its clients by providing various services including Privacy Impact Assessments, Data Mapping and Gap Compliance Analysis as well as step-by-step development of security and data privacy programs. 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.