FTC Aims to “Aggressively Enforce” EU-U.S. Privacy Shield

In an important lesson for companies transferring consumer data from the European Union countries to the United States, recently the Federal Trade Commission (“FTC”) entered into four proposed settlements with companies who faced allegations that they falsely claimed to be certified under the EU-U.S. Privacy Shield.

The FTC aims to “aggressively enforce the Privacy Shield and other cross-border privacy frameworks.”  Director Andrew Smith reinforced that they will hold companies accountable for falsely claiming participation in the Privacy Shield or failing “to honor their Privacy Shield commitments.”

In brief, the Privacy Shield is a set of protocols permitting the transfer of personal data between Europe and the United States (in various contexts, such as ecommerce, social media posts, and the internal management of global corporate groups).  For more background information on the “Privacy Shield 2.0”, see our prior post: The New “EU-US Privacy Shield”.

In one case, the FTC alleged that the company applied for Privacy Shield certification in 2017, but did not complete all of the steps of certification and nevertheless claimed compliance on its website.  In the three other complaints, the FTC alleged that companies allowed their certifications to lapse but despite this, continued to represent compliance on their websites.

Two of the companies faced additional allegations that they failed to affirm to the Department of Commerce that they would continue to apply Privacy Shield protections to data already collected--a Privacy Shield requirement.

As part of the proposed consent orders, the companies are prohibited from misrepresenting their participation in a data security program and must comply with FTC-reporting requirements.  Two of the companies must also continue to apply Privacy Shield protections to data already collected prior to lapse of their certification, by some other means allowed by the Privacy Shield framework, or otherwise return or delete the data within ten days of the order.

The public may comment on the proposed consent orders through October 29, 2018.

Key Takeaway:

These recent settlements demonstrate that the FTC is keenly paying attention to and enforcing Privacy Shield issues.  Most importantly, companies should regularly review public facing statements to ensure that they are entirely accurate (and compliant with their own policies and the law).