Though the Federal Trade Commission (FTC) remains low on Commissioners (there remain only two out of five), the FTC is still actively enforcing privacy matters. On September 8, 2017 the FTC announced its first cases addressing the EU-U.S. Privacy Shield. In three separate actions, the FTC settled charges against three companies for falsely claiming participation in the EU-U.S. Privacy Shield. One of the companies also claimed participation in the Swiss-U.S. Privacy Shield.
The FTC previously settled similar charges against dozens of companies for falsely claiming participation in the framework (Privacy Shield’s predecessor) in their website privacy statements without actually having completed the certification process or failing to recertify compliance through the U.S. Department of Commerce (Commerce), which administers the frameworks. In all three of the settlements announced today, the companies allegedly initiated applications to Commerce for Privacy Shield certification, but did not complete the steps necessary to participate in the framework.
The previous Safe Harbor settlements taught us that companies wishing to enjoy the benefits of the data transfer frameworks must be certain to avoid stating compliance with the programs without actually completing the certification process through Commerce. The important lesson from today’s cases is that it is equally risky to start and then abandon an application with Commerce or fail to respond to follow up requests from Commerce all the while maintaining public privacy statements which claim Privacy Shield compliance.