The FTC has recently announced settlements with six companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework in violation of Section 5 of the FTC Act. The EU-U.S. Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries to the U.S. in compliance with EU law.
In one case, the FTC settled charges against a company that performs pre-employment background screening for falsely claiming to be in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. According to the FTC complaint, although the company initiated an application to EU-U.S. Privacy Shield certification, and added language at the bottom of its webpage that its application was pending, the company did not complete the steps necessary to participate in the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield frameworks within the timeframes established by the U.S. Department of Commerce. Nevertheless, the company held itself out to be in compliance with both privacy shields until July 2018. After FTC staff contacted the company regarding this matter, the company completed the steps necessary to participate in the frameworks and received its certification on August 31, 2018. According to the settlement, the company is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization, including the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. It also must comply with reporting and compliance requirements.
Similarly, the FTC settled with a management software provider for allegedly falsely claiming in statements on its website that it was certified under the EU-U.S. Privacy Shield framework. According to the complaint, the provider’s EU-U.S. Privacy Shield certification lapsed, but it continued to claim its participation in the EU-U.S. Privacy Shield framework. As a result of the settlement with the FTC, the company is prohibited from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.