The U.S. Federal Trade Commission (FTC) recently settled enforcement actions against three companies accused of misleading consumers about their participation in the European Union-United States Privacy Shield framework, which allows companies to transfer consumer data from EU member states to the United States in compliance with EU law. These actions – the first ones taken by the FTC since the Privacy Shield framework went into effect in July 2016 – reaffirm the FTC’s commitment to enforcing U.S. companies’ stated policies concerning Privacy Shield.

EU-U.S. Privacy Shield

The Privacy Shield framework allows U.S. companies to transfer data outside the EU in a manner consistent with EU law. Companies subject to the jurisdiction of either the FTC or the U.S. Department of Transportation may take advantage of the protections offered by Privacy Shield. To join Privacy Shield, an eligible company must self-certify to the U.S. Department of Commerce that it complies with a set of principles and related requirements that have been deemed by the European Commission as providing adequate privacy protection. Companies are required to re-certify every year to retain their status as current members of Privacy Shield.

False claims of participation in Privacy Shield are subject to enforcement actions by the FTC as deceptive acts or practices under Section 5 of the FTC Act. Within two months of President Trump taking office, acting FTC Chairman Maureen Ohlhausen reiterated the agency’s intention to vigorously enforce the Privacy Shield framework.

(For more information on the Privacy Shield framework, see EU and US Reach Agreement in Principle on Successor to ‘Safe Harbor’ for Trans-Atlantic Data Transfers.)

FTC’s Privacy Shield Cases

The FTC recently took action against three U.S. companies, alleging that they violated the FTC Act by falsely claiming participation in the Privacy Shield framework. The settling parties were a human resources software company, a printing services provider, and a firm that manages real estate leases for wireless companies. Despite the parties’ claims of Privacy Shield participation, each of the three companies had initiated but failed to complete the certification process for Privacy Shield, according to the FTC complaints.

The three companies entered into consent orders with the FTC, which prohibit them from making representations about their membership in any privacy or security program sponsored by the U.S. government or any other self-regulatory or standard-setting organization. The orders, which also include various reporting and compliance measures, have a term of twenty years.

In addition to Privacy Shield, the FTC alleged that one of the three companies had falsely claimed participation in the Swiss-U.S. Privacy Shield framework, which went into effect in April 2017 and is identical to the EU-U.S. framework. Earlier this year, the FTC also initiated enforcement actions involving false claims of participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules. Although each of these programs is voluntary, like any other representation a company makes, claims about participation in these privacy programs must be truthful.

The FTC cases were the first ones brought by the agency to enforce Privacy Shield, which replaced the EU-U.S. Safe Harbor framework in July 2016. The FTC’s previous actions enforcing Safe Harbor involved false claims of participation by companies that had never participated, had participated at one time, or failed to comply with the annual self-certification requirement under Safe Harbor. (See Safe Harbor in a Storm.)

Key Takeaways

  • The FTC will continue to hold companies accountable for the promises they make to consumers regarding their privacy policies, including participation in Privacy Shield.
  • Companies participating in Privacy Shield should re-evaluate their privacy procedures and policies regularly to ensure compliance with the various requirements of the Privacy Shield framework.
  • Once a company initiates the Privacy Shield certification process, it must complete that process to claim participation in the Privacy Shield framework.
  • Companies looking to participate in Privacy Shield or a similar privacy program should consult counsel to ensure the program is the best option for their particular business needs.