On September 8, 2017, three U.S. companies settled actions brought by the Federal Trade Commission ("FTC") for misleading consumers about their participation in the EU - U.S. Privacy Shield Framework ("Privacy Shield"). These were the first Privacy Shield enforcement actions brought by the FTC. The Privacy Shield replaced the U.S. - EU Safe Harbor framework as the legal mechanism for transatlantic data flows in August 2016. It functions through a self-certification process by which U.S. companies agree to adhere to a set of privacy principles, including notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. Compliance with the Privacy Shield by U.S. companies is enforced by the FTC.

Why did the FTC bring these complaints?

The FTC brought separate actions against three companies: Decusoft, LLC - a human resources software company; Tru Communication, Inc - a printing services company; and Md7, LLC - a real estate management company. According to the complaints, the three companies violated the FTC Act by falsely claiming or misleading their customers to believe that they had completed the certification process for compliance with Privacy Shield. All three companies claimed that they were compliant with the Privacy Shield in their online privacy policies. Notably, each company had started the Privacy Shield application process, did not complete the necessary steps to complete the application process, and yet claimed compliance and certification.

What were the terms of the consent agreements?

The consent agreements published by the FTC in the Federal Register include six major points. Part I of each order prohibits the companies from misrepresenting their compliance with any privacy or data security system, including, but not limited to the Privacy Shield. Part II requires acknowledgement and dissemination of the order to relevant personnel, both present and future. Part III mandates notification to the FTC of any change in the companies' corporate status, as well as submission of an initial compliance report to the FTC. Part IV requires the companies to retain documents related to their compliance for a five-year period. Part V ensures that the companies will make compliance reports and other relevant information available to the FTC in the future. Part VI includes a "sunsetting" of the order after 20 years. The consent agreements do not include fines.

The FTC published the consent agreements in the Federal Register, and they are open to public comment until October 10, 2017. After the comment period closes, the FTC will issue final orders. Interested parties may submit comments electronically through www.ftc.gov.

What does this mean for US companies?

European and American regulators met on September 18, 2017 for the first annual review of the EU - U.S. Privacy Shield framework. During the meeting, U.S. Commerce Secretary Wilbur Ross assured EU Justice Commissioner Věra Jourová that the U.S. is committed to the privacy protection promises it made in the Privacy Shield agreement with the EU. The European Commission will issue its official Privacy Shield report in October.

The recent FTC enforcement actions, as well as the U.S. Commerce Secretary's stated commitment to upholding the principles behind the Privacy Shield, increase the likelihood that the FTC will continue to closely monitor the practices of U.S. companies that have self-certified under the Privacy Shield or make claims regarding their compliance with the Privacy Shield. Likewise, the impending General Data Protection Regulation ("GDPR"), which will be implemented starting on May 25, 2018, puts more pressure on U.S. regulators to demonstrate U.S. compliance with increasingly more stringent European data protection requirements. US companies that engage in transatlantic data transfers should carefully review both Privacy Shield and GDPR and ensure that their data processing practices and any statements regarding privacy compliance are in accordance with any applicable requirements.