A California-based, international provider of online training services has recently settled with the Federal Trade Commission (FTC) after allegations by the FTC that the company engaged in a deceptive act related to its participation in the EU-U.S. Privacy Shield.
The EU-U.S. Privacy Shield framework was created to allow transfer of personal data outside the EU while adhering to EU privacy law. For companies to engage in this framework, they must self-certify to the U.S. Department of Commerce that they comply with the Privacy Shield requirements.
In October 2016, the California company initiated its application with the Department of Commerce to self-certify but did not complete the process. In the meantime, the company’s website indicated that they were “in the process of certifying” compliance. The FTC, enforcing the Privacy Shield, filed a complaint against this company, alleging that the statement on its website was a false or misleading representation, in violation of the Federal Trade Commission Act, because the company was “not actively in the process of certifying compliance with the EU-U.S. Privacy Shield framework.”
On July 2, the company agreed to settle with the FTC. The FTC has released a proposed consent order, subject to public comment through August 1. The proposed consent order prohibits the company from misrepresenting, expressly or by implication, the extent to which it is certified by any privacy or security program sponsored by a government or any organization, including but not limited to the EU-U.S. Privacy Shield framework. The proposed order does not provide for civil money penalties, but contains certain reporting obligations and recordkeeping requirements. The proposed order will terminate after 20 years after issuance. After August 1, the FTC “will decide whether to make the proposed consent order final.”
The proposed consent order is accessible here.