Settlements Reached in Round Two of FTC’s EU-U.S. Privacy Shield Enforcement Actions
As additional evidence that the United States takes enforcement of the Privacy Shield Framework seriously, a new wave of settlements has been reached concerning the Federal Trade Commission’s (FTC) complaints related to companies’ false claims of EU-U.S. Privacy Shield certification. The timing of these enforcement actions is significant since they come at a time when the future of this EU-U.S. agreement concerning the cross-border transfer of personal data is unclear.
The EU-U.S. Privacy Shield certification is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. Companies seeking to join the Privacy Shield are required to self-certify via the Department of Commerce website and publicly commit to comply with the requirements of the Privacy Shield Framework (the “Framework”). Once a company makes a public commitment to comply with the Framework’s requirements, that commitment is enforceable under U.S. law.
FTC Enforcement Action
In addition to the accusation of falsely claimed certification, VenPath and SmartStart also faced allegations that they failed to abide by a key provision of the Framework, which requires companies that stop participating in the Privacy Shield to affirm to the Department of Commerce that they will continue to apply Privacy Shield protections to personal information collected while participating in the Framework.
All four companies have now agreed to settle the allegations raised by the FTC. Under the proposed settlements, these companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must likewise comply with FTC reporting requirements.
VenPath and SmartStart are also required to continue to apply the Privacy Shield protections to personal information they collected while participating in the Framework, to protect it by another means authorized by the Framework, or to return or delete the information within 10 days of the order.
All four consent agreements will be subject to public comment through October 29, 2018, after which the FTC will decide whether to make the proposed consent orders final.
In its press release issued on September 27, 2018, the FTC emphasized its continued focus on companies’ Privacy Shield commitments. In that release, Andrew Smith, the director of the FTC’s Bureau of Consumer Protection, stated, “We have now brought enforcement actions against eight companies related to the Privacy Shield, and we will continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.”
Why This Matters
Certification to the Privacy Shield Framework continues to be relied upon by many U.S. companies as their compliance solution for the requirements of the EU General Data Protection Regulation (GDPR) concerning the cross-border transfer of personal data of persons located in the European Union to the United States. The GDPR prohibits both controllers and processors from transferring EU personal data to a country whose laws the European Commission has not determined to provide an adequate level of protection. The United States has not received an “adequacy determination,” so U.S. companies must import personal data from the EU in reliance upon “appropriate safeguards” or with the consent of the data subject. Transfers of personal data to the U.S. under the auspices of the Privacy Shield Framework are considered by the European Commission to be consistent with GDPR requirements.
These FTC enforcement actions highlight two compliance considerations. First, an organization should not claim Privacy Shield certification status before completing the certification process. Claims of participation in the Privacy Shield Framework should not be publicized on a company’s website or in legal documents until the Department of Commerce has notified the company that its certification process is final. Secondly, certified companies are required to recertify their participation in the Framework on an annual basis. If a certified company subsequently decides to discontinue its participation in the Framework, it should remove any certification claim from its website or privacy notice and arrange to continue to honor the Framework’s safeguards with respect to data collected during the time the company represented itself as a Privacy Shield participant, or it should return or delete that information.
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
Jane Hils Shea has lead FBT’s Privacy and Information Security Practice Area since its creation in 2001 and is a Certified Information Privacy Professional (CIPP-US).