The U.S. Federal Trade Commission (FTC) recently settled enforcement actions against four companies accused of misleading consumers about their participation in the European Union-United States Privacy Shield framework, which allows companies to transfer consumer data from EU member states to the United States in compliance with EU law. These collective actions demonstrate the FTC’s ongoing commitment under new Chairman Joseph Simons to enforce U.S. companies’ filing obligations with the U.S. Department of Commerce as part of their efforts to comply with the Privacy Shield. These actions are also consistent with a recent statement by Gordon Sondlan, U.S. Ambassador to the European Union, that the U.S. is complying with EU data protection rules.
EU-U.S. Privacy Shield
The Privacy Shield framework, which was designed by the Department of Commerce and the European Commission, allows U.S.-based companies and organizations to transfer data outside the EU in a manner consistent with EU law. Companies subject to the jurisdiction of either the FTC or the Department of Transportation may take advantage of the protections offered by the Privacy Shield. To participate in the EU-U.S. Privacy Shield, a company or organization must self-certify to the Department of Commerce and publicly commit that it complies with the Privacy Shield Principles and related requirements to meet the EU’s adequacy standards. Companies and organizations are also required to re-certify annually to retain their status as current members of the Privacy Shield.
A company or organization that claims to participate in the Privacy Shield but has failed to register or re-certify with the Department of Commerce may be subject to an enforcement action by the FTC. False claims of participation in the Privacy Shield are considered as deceptive acts or practices under Section 5 of the FTC Act.
Recent Enforcement Actions for Privacy Shield Violations
The FTC recently brought enforcement actions against four firms for allegedly making false statements that they were properly certified under the EU-U.S. Privacy Shield. These are the second FTC Privacy Shield enforcement actions under Joseph Simons, who became Chairman on May 1, 2018, and the third enforcement actions since the Privacy Shield framework went into effect in July 2016.
The four firms – IDimission, LLC, mResource LLC (doing business as Loop Works), SmartStart Employment Screening, Inc. and VenPath, Inc. – each entered consent agreements with the FTC. IDimission offers a cloud-based technology platform to help businesses engage with their customers. Loop Works offers recruitment and “talent management” services. SmartStart Employment Screening offers background and employment screening services. VenPath offers data analytics services related to mobile apps.
The FTC alleged that three of the firms – mResource, SmartStart and VenPath – had each obtained a Privacy Shield certification but failed to renew their self-certification registration. All three firms continued to post statements on their websites stating that they were complying with the Privacy Shield after their registrations had expired. The FTC alleged that the fourth firm – IDimission – had applied to the Department of Commerce but failed to complete the required steps to participate in the Privacy Shield even though it maintained on its website that it was complying with the Privacy Shield.
The FTC also alleged that VenPath and SmartStart had failed to abide by the Privacy Shield requirement that companies that stop participation in the Privacy Shield affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
All four companies entered into consent orders with the FTC which prohibit them from making representations about their membership in any privacy or security program sponsored by the U.S. government or any other self-regulatory or standard-setting organization. The orders, which also include various reporting and compliance measures, have a term of twenty years. VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order.
- The FTC will continue to hold companies accountable for the promises they make to consumers regarding their privacy policies, including participation in the Privacy Shield.
- Companies participating in the Privacy Shield should re-evaluate their privacy procedures and policies regularly to ensure compliance with the various requirements of the Privacy Shield framework.
- Once a company initiates the Privacy Shield certification process, it must complete that process to claim participation in the Privacy Shield framework.
- Companies looking to participate in the Privacy Shield or a similar privacy program should consult counsel to ensure the program is the best option for their particular business needs.