FTC Enters Consent Orders with Companies that Falsely Claimed to be Certified Under the EU-U.S. Privacy Shield
The FTC entered into consent orders with four separate companies which falsely claimed to be certified under the EU-U.S. Privacy Shield framework, which governs the ability of companies to transfer personal data outside of the EU.
In 1995, the EU enacted a Directive on Data Privacy which created requirements for privacy and the protection of personal data for EU citizens. Among other things, the Directive prohibits most transfers of personal data outside the EU, unless the EU has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. The EU and the U.S. Department of Commerce negotiated the Privacy Shield framework, which allows U.S. companies to receive certifications that they comply with the EU’s privacy directive, and in turn allows them to transfer covered data outside of the EU. To become certified, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield framework and related requirements that have been deemed to meet the EU’s adequacy standard. The Privacy Shield framework went into effect in 2016.
Earlier this year, the FTC brought complaints against four different companies which were falsely claiming to be certified under the Privacy Shield framework. Each company’s website included, among other things, a privacy policy which asserted that the company was certified under and complied with the Privacy Shield framework. In fact, three of the companies had been certified but their certification was not renewed and had lapsed, and the fourth had initiated the certification process but did not complete it. The FTC asserted that this constituted a deceptive act or practice under Section 5 of the FTC Act.
Each of the companies entered into a consent order with the FTC to resolve its complaint. In each case, the companies agreed to correct any inaccurate statements about their compliance with the Privacy Shield framework and to not make further false or misleading statements about compliance with the Privacy Shield framework. While there was no monetary penalty, the companies also agreed—for 20 years—to provide information to their employees about the consent order, to provide compliance reports and notices to the FTC, to engage in certain recordkeeping practices, and to engage in additional compliance monitoring.
For more information on the consent orders, click HERE.