The FTC brought its first set of separate Privacy Shield related enforcement actions against three companies in September 2017 for allegedly misrepresenting to customers the companies’ current participation in the Privacy Shield framework. According to the FTC complaints, merely implying participation in the Privacy Shield framework is enough to draw a misrepresentation charge. In those cases, the companies included statements in their privacy policies that they complied with the Privacy Shield principles though the companies had never completed the certification process with the Department of Commerce.
In a second set of Privacy Shield related actions, the FTC reached a settlement with California-based ReadyTech Corporation for representing to consumers that the company was in the process of obtaining certification status. According to the FTC, while the company had begun the certification process almost two years earlier, it failed to complete the steps necessary to participate in the Privacy Shield framework despite representing to customers that it was pursuing Privacy Shield certification. The FTC alleged that the statement in ReadyTech’s privacy policy that “[it] is in the process of certifying that [it] compl[ies] with the U.S.-E.U. Privacy Shield framework…” effectively represented “directly or indirectly, expressly or by implication” that the company was actively seeking Privacy Shield certification.
The FTC’s recent set of enforcement actions introduced a couple new FTC models of Privacy Shield enforcement.
First, the FTC is ready to bring enforcement actions against companies who let their Privacy Shield certification lapse but fail to amend their representations to customers. Three of the companies targeted in the recent actions had actually obtained Privacy Shield certification status but failed to complete their annual re-certification as required by the Privacy Shield principles. Despite the lapses, according to the FTC, the companies maintained outdated statements in their privacy policies representing that their Privacy Shield certification was current.
Second, the FTC added to its complaints against two of those companies a second count alleging that despite their certifications lapsing, the companies failed to provide the Department of Commerce with an affirmation that the data they received while still certified under Privacy Shield would continue to be treated in accordance with Privacy Shield principles. The FTC alleged in its complaints that those companies’ failure to provide the Department of Commerce with the required affirmation rendered the companies’ statements “that they would abide by the EU-U.S. Privacy Shield framework principles” to be false.
As echoed by Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, the FTC’s recent Privacy Shield enforcement actions show the agency’s continued intention to use companies’ misrepresentations about Privacy Shield compliance and certification as a basis for bringing enforcement actions against them. Privacy Shield participants should ensure not only that their Privacy Shield certifications remain current but also that the representations they make about Privacy Shield compliance remain up-to-date. In addition, former Privacy Shield participants should provide the Department of Commerce with the required affirmation that data collected while the company was Privacy Shield certified will continue to be treated according to its principles.
Update: On November 19, 2018, the FTC approved its proposed settlements with the four companies in a 4-0-1 vote after receiving no comments.
Authored by Bret Cohen and Julian Flamant
*Julian Flamant was not yet a member of the Washington, D.C. bar when this post was originally published.
