When thinking about whether your company would benefit from Privacy Shield certification the most important question to answer is: is my company under the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transport (DOT)? If the answer is yes, then the Privacy Shield could be of real benefit to your organization when dealing with the transatlantic transfer of personal data from the European Union to the U.S.
The Privacy Shield certification requirements include the stipulation that the FTC or the DOC must have jurisdiction over the organization’s activities. This means that some industries; such as banking, insurance, and telecommunications (to name a few) are excluded but if the activities of your organization do come under the remit of the FTC or the DOT then read on.
One thing to still consider, regardless of whether your organization falls under the jurisdiction of the FTC or the DOT, is does my organization deal with the personal data of European residents?
Again if the answer is yes then you will still have to follow the General Data Protection Regulation (GDPR) set out by the European Commission. Having said that, the principles outlined by the Privacy Shield are similar to that of the GDPR (learn about GDPR vs. Privacy Shield).
In fact, the European Commission has found the Privacy Shield framework adequate as per their adequacy determination. If you wish to learn more about the GDPR, Privacy Shield, and adequacy determination you can read a more detailed article on our blog here.
Assess your GDPR compliance
Air Transport
The U.S. Department of Transportation has jurisdiction over all U.S. and foreign commercial air transport. This means that all airlines operating within and into the U.S. are under their remit. Airlines and airports collect and process large amounts of personal data and where this data originates within the European Union (EU) and belongs to an EU citizen or an EU resident then it must be treated under the relevant data privacy protocols, in this case, the U.S. Privacy Shield.
However the marketing and sale of commercial airline tickets or general air transportation tickets are under the jurisdiction of the Federal Trade Commission and this will include travel agents, air ticket booking sites, an airline’s own website if it is possible for customers within the EU to book directly.
Online Retail
The one industry that will require Privacy Shield certification, in the long run, is the online retail industry. The industry is seeing continual growth especially during this period of the COVID-19 outbreak. The Federal Trade Commission has jurisdiction over most retail activities and this includes online retail activities.
Any company or organization that offers its goods and services directly to consumers within the EU via an online platform is subject to EU data privacy restrictions and will become legally compliant through fulfilling the Privacy Shield Certification requirements. This includes personal data collected explicitly through sign-up forms or payment mechanisms but it also includes any personal data that is collected through cookies or similar analytic tools.
Marketing and Advertising
Marketing and advertising is the most obvious industry that requires Privacy Shield certification as it is almost entirely data-driven these days. The Federal Trade Commission has jurisdiction over marketing and advertising to retail customers and the public in general. The FTC shares the jurisdictional responsibilities for the marketing and sale of commercial air transport with the Department of Transport.
Any business or organization whose activities involve the collection or processing of the personal data of individuals from within the EU should have Privacy Shield Certification if it wants to protect itself from breaking EU data privacy laws. The Privacy Shield Certification requirements are designed to make it easy for organizations to comply with these laws through a clear step-by-step process.
Hospitality and Tourism
If your business involves taking inquiries and bookings from EU citizens and residents within the EU then you are engaged in collecting and processing their personal data. How will you ensure that your organization or even small business is compliant with data privacy laws? With over 57 percent of travelers choosing to book their accommodation directly via the destination’s online portal; this means millions of Europeans are sharing their personal data with U.S. businesses every year.
Since the FTC has jurisdiction over the Hospitality and Tourism industry this makes Privacy Shield certification available for the collection and processing of the personal data to be done in line with the Privacy Shield certification requirements; guaranteeing your business is in compliance with data protection law.
Video Game Industry
One industry that may have you scratching your head is the video game industry. The video game industry falls under the jurisdiction of the FTC. The primary reason for this is that in recent years video games have evolved from stand-alone titles to software as a service (SAAS). This recent development has led to the gaming industry “tacking on” digital products to the games they provide their audience, which then becomes an ongoing service.
The primary one that has piqued the interest of consumer rights groups and the FTC is that of loot boxes. Loot boxes act as pseudo gambling mechanic that randomizes rewards that may come in the form of cosmetic appearances for your avatar, to virtual badges, etc.
Amongst other things, coupled with falling under the jurisdiction of the FTC, the gaming industry gathers a large quantity of personal data, including that of children under the age of 13. This heavy emphasis on parental consent is prime grounds for joining the Privacy Shield framework.
Another thing that general consumers may not be aware of is the susceptibility the industry has to cyber attacks. In recent times the industry has been plagued by personal data breaches such as Bethesda with their title Fallout 76, and most recently with their hit title Doom: Eternal coming under fire for malware issues.
With such a high susceptibility to cybersecurity issues, the video game industry is a strong contender for best practice models. This also includes the necessity for businesses both large and small within the industry to join the Privacy Shield framework, with the second-largest consumer group coming from the European continent.
Closing Remarks
If you find that your organization falls under one of the categories mentioned, it is advised that you get Privacy Shield certification. Keep in mind that these are some of the biggest industries found in our research that would absolutely require Privacy Shield certification but it is not only limited to these 5, honorable mentions include:
- Social Media (dating, niche social media, etc.)
- International Parcel Delivery
- Train companies (where the websites allow booking from Europe)
- Human Resource: recruitment industry
It’s important to note that regardless of whether your industry falls under the jurisdiction of the Federal Trade Commission or the Department of Transportation if your business deals with the personal data of European residents it is paramount that you are GDPR compliant.
With RSI Security, we understand those needs, we can help with all cybersecurity services ranging from compliance measures, such as GDPR, to full-stack cybersecurity architecture and implementation. Become GDPR compliant today!