The FTC recently filed an administrative complaint against a Nevada-based, IT service management company alleging that the company engaged in deceptive acts related to its participation in the EU-U.S. Privacy Shield.
The EU-U.S. Privacy Shield framework was created to allow the transfer of personal data outside the EU while adhering to EU privacy law. For companies to engage in this framework, they must self-certify, on an annual basis, to the U.S. Department of Commerce that they comply with the Privacy Shield requirements. Failure to comply with the requirements is enforceable under Section 5 of the Federal Trade Commission Act.
In January 2017, the Nevada company obtained Privacy Shield certification. The following year, the company failed to renew its certification, and its Privacy Shield certification lapsed in January 2018. However, the company’s website continued to indicate that they were still in compliance with and certified under the EU-U.S. Privacy Shield. The company also made similar representations in disseminated sales materials.
The FTC, enforcing the Privacy Shield, filed a complaint against this company, alleging multiple acts and practices in violation of Section 5(a) of the Federal Trade Commission Act, including participation misrepresentation, misrepresentation regarding verification, misrepresentation regarding dispute resolution, and misrepresentation regarding continuing obligations.