For businesses that choose to participate, the EU-U.S. Privacy Shield framework establishes a process to allow them to transfer consumer data from European Union countries to the United States in compliance with EU law. In return, companies must follow the framework’s requirements. The FTC has announced proposed settlements with companies that claimed to participate and yet failed to complete the steps necessary to get certification from the Department of Commerce, which administers the Privacy Shield framework. Another case raises an additional concern.
Four companies – DCR Workforce, a Florida management software compan; Thru, Inc., a California cloud-based file transfer software provider; LotaData, a San Francisco business that analyzes mobile users’ location information; and TrueFace.ai, a Santa Monica-based company that offers facial recognition and identity verification services – all claimed on their websites to be certified under Privacy Shield. But according to the FTC, they submitted applications, but didn’t finish the certification process. That rendered the statements on their sites false, in violation of the FTC Act.
A fifth company – EmpiriStat, a Maryland-based business that provides support services for clinical trials – was once certified under Privacy Shield, but allowed its certification to lapse in 2018. And yet the company continued to say on its site that it “has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.” What’s more, the complaint charges that EmpiriStat falsely claimed it complied with the Privacy Shield principles when, in fact, it failed to verify that its published policy regarding information received from the EU was accurate and completely implemented – something the framework requires companies to do annually. The FTC alleges the company also failed to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they’ll continue to apply Privacy Shield protections to personal information collected while they were in the program.
Proposed settlements in all five cases prohibit misrepresentation about the extent to which the companies participate in any privacy or data security program sponsored by a government or any self-regulatory or standard-setting group. The EmpiriStat order also requires the company to: 1) continue applying Privacy Shield protections to personal information it collected while participating in the program; 2) protect the data by another means allowed by the framework; or 3) return or delete the information within 10 days of the order. Once the proposed settlements appear in the Federal Register, the FTC will accept public comments for 30 days.
What messages should companies take from the dozens of Privacy Shield cases the FTC has brought to date?
The FTC means business when businesses make false statements about Privacy Shield participation. The FTC is committed to using the Section 5’s prohibition on deceptive practices to challenge misrepresentations about Privacy Shield participation. The program is voluntary, but if your company says it participates, you must live up to its requirements.
Finish what you start. Whether it’s your golf swing or your company’s Privacy Shield application, it’s all in the follow-through. Don’t claim to participate in the framework until you’ve completed the application and have been certified by the Department of Commerce.
Privacy Shield participation comes with continuing obligations. One important framework requirement is annual recertification. To keep your company on the right side of the law, put a recertification reminder on your calendar now. (Yes, now.) Furthermore, if you decide at a later date not to participate, immediately change what you say on your website. In addition, you have ongoing responsibilities regarding data collected while you were a participant. Savvy companies follow the Department of Commerce’s requirements for withdrawing from the program.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.