The Federal Trade Commission has settled a case against a California online training services company that the FTC said falsely claimed to be in the process of certifying compliance with the EU-U.S. Privacy Shield Framework (Privacy Shield), the FTC’s fourth Privacy Shield case.
The Privacy Shield, the successor to Safe Harbor, was created by the U.S. Department of Commerce and the European Union. It is a mechanism for companies to comply with the EU’s data protection requirements when transferring personal data from the EU to the U.S. To join the Privacy Shield, a U.S. based organization is required to self-certify to the Commerce Department and publicly commit to comply with the Privacy Shield’s requirements. The Commerce Department administers the Privacy Shield and the FTC enforces the promises companies make when joining the Privacy Shield.
In this case, the company initiated an application with the Commerce Department in October 2016, but it did not complete the necessary steps to participate in the Privacy Shield. The FTC alleged that the statement on the company’s website that the company was in the process of certification with the Privacy Shield was in violation of the FTC’s prohibition against deceptive acts or practices. As part of the settlement, the company is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization.
The FTC Press Release can be found here.