Just as the Sword in the Stone could only be used by its rightful owner, the Privacy Shield can only be claimed by the rightfully certified entities. If not, false representations may stir Federal Trade Commission action. The FTC recently announced their first enforcement actions involving the EU-US Privacy Shield framework, settling complaints with three US companies.
Picking up where they left off under the now-defunct US-EU Safe Harbor framework, under which the FTC brought 39 enforcement actions, the FTC alleged that Decusoft, LLC (human resources software), Tru Communication, Inc. (printing services), and Md7, LLC (real estate leases for wireless companies) violated the FTC Act by falsely claiming they were certified to participate in the EU-US Privacy Shield. Decusoft was also accused of violating the Swiss-US Privacy Shield. According to the FTC, none of the companies completed the steps required for certification, and are now prohibited from “misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.” [If you’d like to read more about the EU-US Privacy Shield and Swiss-US Privacy Shield, we wrote about each here and here.]
We recently covered privacy statements and the importance of consumer consent and options in related agreements. Privacy statements must also accurately reflect statements about your organization’s current privacy certifications or compliance status. The FTC has made it clear that they are committed to aggressively enforcing the Privacy Shield and other privacy issues, and companies are advised to conduct a thorough review of current privacy policies and certifications and how those are represented and advertised. Companies intending to become Privacy Shield-compliant must monitor their application status and respond to follow up requests from the US Department of Commerce until their status is fully confirmed.