Companies falsely claimed adherence to Swiss, EU protocols
Every day, untold terabytes of information transfer between the United States and European countries – a vast aggregate of personal and commercial data that benefits users on both sides of the Atlantic.
However, the United States handles data security in a fundamentally different way than European countries, and these differences require a common framework to encourage an ongoing exchange of goods and information between the jurisdictions. Enter the Privacy Shield Framework. The Shield is a set of principles for companies to adhere to when transferring personal data between services in the states and services in the European Union (Switzerland has a separate but similar agreement with the United States).
The Privacy Shield Framework establishes a self-certification regime for U.S. companies. Under the Shield, the U.S. companies attest to the Department of Commerce that they are complying with the principles and guidelines of the Shield Framework, including various provisions addressing notifications, accountability, information security and liability. The benefits for all participants are obvious.
The Federal Trade Commission (FTC) recently settled three cases against U.S. companies that claimed to participate in the E.U.-U.S. Privacy Shield Framework, but allegedly did not meet the regime’s requirements. They were the first cases of their type since the Privacy Shield Framework replaced the earlier U.S.-EU Safe Harbor Framework.
The Commission settled charges against software company Decusoft, printing company Tru Communication, and assistant to real estate wireless operators Md7 in early September 2017. The FTC alleges that the companies claimed to participate in the Framework, but had actually failed to complete their self-certification process with the Department of Commerce. The Commission further alleged that Decusoft had similarly violated the Swiss-U.S. Privacy Framework.
Each of the companies agreed to refrain from misrepresenting their participation in security or privacy programs sponsored by the government, self-regulatory, or standard-setting organizations. Each agreed to also comply with FTC reporting requirements.
These cases are novel – they’re the first to address the relatively recently enacted E.U.-U.S. Privacy Shield, and also the first to tackle companies that started a self-certification process in similar programs but did not complete all the steps.
Nonetheless, these cases are part of a larger picture. The FTC brought 39 actions against companies under the predecessor U.S.-E.U. Safe Harbor Framework. The Commission has also pursued four similar actions related to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
It is clear that the FTC is taking a serious approach to false participation claims, and is keeping its eye on companies that drop out of the certification process midway, but still claim to be within the guidelines of the Framework. Based on the FTC’s increasing scrutiny of companies’ proposed data practices and privacy commitments, U.S. companies should exercise caution when purporting to adhere to a regulatory scheme without full compliance.