For the first time, the Federal Trade Commission is holding companies accountable in three enforcement actions for misleading consumers about their Privacy Shield participation.
EU-U.S. Privacy Shield
The Privacy Shield framework allows companies to transfer consumer data across the pond from EU member states to the U.S. while complying with EU data protection laws. The Privacy Shield was birthed to replace the U.S.-EU Safe Harbor framework which was deemed invalid in 2015.
To participate in the framework, companies must certify with the U.S. Department of Commerce and demonstrate compliance with the Privacy Shield Principles. The Department of Commerce maintains the list of active members, while the FTC enforces compliance.
During Safe Harbor’s tenure as the preferred data transfer mechanism between the EU and U.S., the FTC brought 39 enforcement actions against companies for reasons of noncompliance. Now we see the first three enforcement actions under the newer Privacy Shield framework.
Privacy Shield Enforcement
The FTC announced that three companies violated the FTC Act by making false claims regarding their Privacy Shield certification to consumers. The companies never actually completed the certification process.
Acting FTC Chairman Maureen K. Ohlhausen notes, “Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce. Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”
In conjunction with the settlements, the FTC prohibits the three companies from misrepresenting their participation in any privacy or data security program sponsored by a government or regulatory agency.
What can other companies learn from the mistakes in these cases?
The FTC is committed to enforcing misrepresentations about Privacy Shield participation. Given the prior settlements under the Safe Harbor framework, the FTC remains consistent in their efforts to hold companies accountable.