The Federal Trade Commission recently announced settlements with Decusoft, LLC, Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, resolving allegations that the companies misrepresented their participation in the E.U.-US and Swiss-US Privacy Shield. The announcement comes just before the first Privacy Shield annual review (scheduled for September 2017) and marks the FTC’s first enforcement action related to Privacy Shield. This post provides a brief overview of the Privacy Shield framework, notable facts from the enforcement action, and key takeaways for companies.
Privacy Shield. The E.U.-US and Swiss-US Privacy Shield frameworks are an alternative transfer mechanism for companies to transfer E.U. and Swiss individual data to the United States in compliance with E.U. and Swiss data protection requirements. To participate in either framework, a company must self-certify to the Department of Commerce (“Commerce”) that it adheres to the Privacy Shield Principles. The FTC enforces compliance with the Privacy Shield framework under its Section 5 deception authority, and companies who misrepresent their Privacy Shield participation run the risk of an FTC enforcement action.
Key Takeaways. Since 2009, the FTC has settled 36 cases involving claims of Safe Harbor participation, three cases involving alleged violations of Safe Harbor Privacy Principles, and four cases involving claims of participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. As noted in the chart below, the FTC has been active in enforcing cross border privacy frameworks, and companies should expect this trend to continue. As part of the Privacy Shield negotiations, the FTC committed to give priority to Privacy Shield non-compliance referrals received from EU Member States, Commerce, and privacy self-regulatory organizations and other independent dispute resolution bodies. With the first Privacy Shield annual review forthcoming, these enforcement actions affirm that commitment.
|Year||FTC Enforcement Actions and Warning Letters|
|2009-2013||-10 Companies Settle Safe Harbor Charges|
|2014||-14 Companies Settle Safe Harbor Charges|
|2015||-15 Companies Settle Safe Harbor Charges|
|2016||-1 Company Settles APEC CBPR Charges -FTC Issues Warning Letters to 28 Companies Regarding APEC CBPR Participation|
|2017||-3 Companies Settle APEC CBPR Charges -3 Companies Settle Privacy Shield Charges|
In light of this activity, companies should review their privacy policies and similar statements to ensure that claims about participation in or compliance with self-regulatory or governmental privacy related programs are up to date and accurate.