• Voided Safe Harbor a blow to FTC enforcement powers preventing consumer harm
  • Companies must use alternatives such as model contracts and binding corporate rules while revised agreement is drafted

The Federal Trade Commission has lost an important mechanism for privacy and data security enforcement in data flowing across the Atlantic with the invalidation of the Safe Harbor framework, according to Commissioner Julie Brill. Speaking at the Amsterdam Privacy Conference on October 23, Ms. Brill called for global attention on the implications of the European Court of Justice’s October 6 decision. One of Brill’s main concerns was the decisions impact on the ability of US regulators to protect the data collected from European consumers.

The invalidation of the Safe Harbor agreement came into effect immediately without a grace period, causing an international uproar. US and European officials are currently working to complete a revised safe harbor agreement to both comply with the ECJ’s decision and help restore some aspects of the previous agreement. In the meantime, companies must now turn to alternatives such as model contracts and binding corporate rules. Arent Fox’s Cybersecurity & Data Protection practice previously shared key actions that companies should take as EU-US data flow is reconsidered here.

Ms. Brill emphasized that in the absence of safe harbor, companies have little reason to make representations to consumers that the FTC can monitor and take action against if a company misrepresents their privacy standards. In turn, the FTC faces new challenges in protecting consumers from financial harm, inappropriate data collection, unwarranted intrusions, and data exposures. It “removes the most explicit link between FTC enforcement and our ability to protect European consumers,” she said. The US Commissioner also characterized the European Commission’s new protocols as “far less transparent” than transfers under the original Safe Harbor agreement.

Interestingly, Brill noted that a comprehensive privacy law in the US may not be the solution. She explained that the current system – which involves a patchwork of laws to protect and regulate different types of data – provides a "strong and comprehensive “level of protection. “Although I support additional consumer privacy legislation in the U.S.,” she said, “I do not believe such legislation is prerequisite for a post-Schrems data transfer mechanism.”

Policymakers now must create a revised transatlantic data transfer mechanism that protects EU citizens and US consumers, provides certainty to businesses, and creates a feasible process for companies of all sizes to transfer personal data.