05 October 2017

FTC Cracks Down on False Claims of Compliance with the EU-US Privacy Shield

The Federal Trade Commission (“FTC”) recently announced (https://www.ftc.gov/news-events/press-releases/2017/09/three-companies-agree-settle-ftc-charges-they-falsely-claimed) that it had settled charges against three different companies for misleading consumers about their participation in the EU-US Privacy Shield (“Privacy Shield”) framework.  These are the FTC’s first enforcement actions brought under the Privacy Shield.

The FTC alleged the three companies falsely claimed they were certified to participate in the Privacy Shield despite having failed to complete the certification process. Rather than contest the action, each of the three companies signed consent orders that prohibit them from misrepresenting their participation in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organizations. The three companies will have to comply with somewhat onerous notice and reporting obligations for the next twenty (20) years.

The Privacy Shield is a framework for some transatlantic exchanges of personal data between the European Union and the United States.  The Privacy Shield seeks to protect consumer information while allowing US companies to more easily receive data from companies in the EU. The Privacy Shield replaced the International Safe Harbor Privacy Principles which were declared invalid by the European Court of Justice in 2015.  For more specifics on the EU-US Privacy Shield see our previous blog post here.

There are several things to take away from the FTC’s announcement:

  • The FTC continues to be active in monitoring and enforcing privacy and data security laws.
  • Consumers and companies should not simply rely on representations that a company is Privacy Shield compliant. Instead, consumers and companies should take steps to verify the steps a company has taken to keep consumer data safe.
  • Companies should make sure they have met all of their privacy and security obligations before advertising that they are compliant with the EU-US Privacy Shield or other national and international privacy frameworks.