The EU–US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.
Nearly three years ago, the EU-U.S. and Swiss-U.S. Privacy Shield frameworks replaced the U.S.-EU and U.S.-Swiss Safe Harbor programs as a self-certification mechanism to transfer personal data from the European Union and Switzerland, respectively.
Although participation is completely voluntary and organizations are free to use other lawful methods to transfer data from the European Union and Switzerland (such as the Standard Contractual Clauses published by the European Commission), the U.S. Federal Trade Commission (“FTC”) can take action under Section 5 of the FTC Act when companies make deceptive claims about their privacy and data security practices, including their participation in international privacy programs, such as the Privacy Shield frameworks.
Recently, it appears that the FTC has increased monitoring companies’ claims regarding participation in these regimes and is taking action against those that misrepresent their compliance with such programs.
Recently, the FTC reached a settlement with a background check company, SecurTest, Inc. (“SecurTest”), over allegations that the company violated Section 5 of the FTC Act when it claimed in its privacy notice to consumers that it participated in the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and that it had “certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles.”
According to the FTC’s complaint, SecurTest applied to the Department of Commerce to participate in both frameworks but never completed the process, and therefore the claim in its privacy notice of participation in the Privacy Shield frameworks was false.
Under the settlement terms, SecurTest must:
- refrain from misrepresenting its participation in either Privacy Shield framework or any other privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization;
- spread awareness to its stakeholders of the company’s noncompliance, and;
- submit to ongoing compliance monitoring and record-keeping requirements.
The FTC also issued warning letters to more than a dozen unnamed companies for misrepresenting their participation in the U.S.-EU and U.S.-Swiss Safe Harbor frameworks, which were invalidated in October 2015 and any self-certifications under those programs have expired. In addition, the FTC sent warning letters to two companies for falsely claiming to participate in the Asia-Pacific Economy Cooperation Cross-Border Privacy Rules (“APEC CBPR”) system, a voluntary but enforceable framework designed to protect consumer data traveling between APEC-member countries.
The FTC requested that the these companies remove from their websites, privacy policies or public documents any statements claiming participation in either of the Safe Harbor programs, and requested that the two companies either:
- remove from their websites, privacy policies, or other public documents any statements that might be construed as claiming participation or involvement in the APEC CBPR system, or;
- prove that they had undergone the requisite review and certification. If the companies fail to take action within 30 days, the FTC warned that it would take appropriate legal action.
Privacy policies claiming compliance with invalidated or updated programs or laws clearly present a red flag to regulators. In this most recent instance, the FTC continued its trend of aggressively policing companies that falsely claim to be Privacy Shield compliant and that misrepresent their participation in other trans-border programs.
Companies that continue to represent to the public their participation in these programs after failing to complete certification or re-certification run the risk of FTC enforcement.
Source & further reading: National Law Review