Business Blog
Is the EU-US Privacy Shield framework in your compliance picture?
Four companies just entered into proposed agreements with the FTC to settle charges that they made misrepresentations about their participation in the EU-U.S. Privacy Shield. The cases reflect the FTC’s continuing commitment to enforcing the framework. Two of the complaints also focus on a Privacy Shield obligation that may be worth more of your company’s attention.
Privacy Shield is a program that gives companies a way to transfer personal data from the EU to the United States consistent with EU data protection requirements. To participate, businesses must apply to the Department of Commerce and follow the program’s self-certification requirements. One requirement is that companies re-certify every year to maintain their status as Privacy Shield members. Participation is voluntary, but if a business says it’s in compliance, that representation – like other objective claims – must be truthful. As the FTC’s record of law enforcement in this area establishes, misrepresentations may violate the Federal Trade Commission Act.
Colorado-based IDmission, LLC, which sells a cloud-based platform for businesses, claimed it had “certified to the Department of Commerce that it adheres to the Privacy Shield framework.” The company started the certification process in October 2017, but didn’t finish. According to the complaint, the Department of Commerce had worked with the company to address issues with its application and warned the company to take down any claims about compliance until the company addressed the issues.
The FTC alleges three other companies let their certifications lapse without modifying the representations on their websites. mResource LLC, which does business as Loop Works, is a Chicago recruiting and talent management company. Despite claiming it “is a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield,” its certification expired in December 2017.
New York-based VenPath, Inc., said it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.” But the data analytics company allowed its certification to lapse in October 2017.
Then there’s SmartStart Employment Screening, Inc., a Florida background screening business. The company claimed it “complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.” However, SmartStart’s certification expired in September 2017.
The four proposed complaints all include an allegation similar to other Privacy Shield cases: that the company falsely represented that it’s a current participant in the EU-U.S. Privacy Shield framework.
But the proposed complaints against VenPath and SmartStart include an additional allegation of note. When a company represents it will abide by the EU-U.S. Privacy Shield framework principles, one key requirement is that if at a later date it stops participating in Privacy Shield, it must affirm to the Department of Commerce that it will continue to apply the principles to personal information it received during the time it did participate. The complaint alleges that VenPath and SmartStart didn’t satisfy that continuing obligation. According to the FTC, that’s a second way in which those two companies misrepresented their Privacy Shield compliance.
The proposed settlements serve as a reminder that if companies represent that they’re Privacy Shield participants, they must complete their initial certification and follow through with required annual re-certifications. In addition, if a company chooses to withdraw from the program – it’s voluntary, of course – it nonetheless maintains a continuing obligation regarding personal data it collected during the time it represented itself as a participant.
The FTC is accepting comments about the proposed settlements until October 29, 2018.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
In reply to My company, Valtech Solutions by Barbara Frantkowski
The Privacy Shield program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, not the Federal Trade Commission. Please contact them for more information.