Want to be your company’s Privacy Shield hero? Four proposed FTC settlements suggest actions you can take to keep your business Privacy Shield-compliant.
The EU-U.S. Privacy Shield framework enables companies to lawfully transfer consumer data from European Union countries to the United States. (There also is a Swiss-U.S. framework.) The Department of Commerce administers both frameworks, while the FTC challenges false or deceptive representations companies make about their participation or compliance.
In separate complaints, the FTC alleges that four companies – Click Labs, Inc., a Seattle-based website and app services provider; Incentive Services, a Minnesota developer of employee award programs; Global Data Vault, a data storage and recovery business in Dallas; and North Carolina IT services company TDARX – made misleading Privacy Shield claims.
The FTC says Click Labs and Incentive Services submitted self-certification applications to the Department of Commerce for both the EU-U.S. and Swiss-U.S. frameworks, but failed to finalize them. Despite that, both companies claimed on their websites to be in compliance.
According to the cases against Global Data Vault and TDARX, although those companies were once EU-U.S. Privacy Shield participants, they allowed their certifications to lapse – meaning that the claims they made in their privacy policies about their status were false. Furthermore, the complaints allege that while they were participants, they failed to perform either the annual self-assessment or outside compliance review verification required of all Privacy Shield participants. What about the data they received during the time they participated? The framework gives former participants three options: Affirm ongoing compliance with Privacy Shield principles for that information, return it, or delete it. The FTC says Global Data Vault and TDARX failed to do any of the three.
The proposed settlements prohibit the companies from misrepresenting their participation in or compliance with the EU-U.S. Privacy Shield framework or any other privacy or data security program sponsored by a government, self-regulatory group, or standard-setting organization. In addition, Global Data Vault and TDARX must either apply the Privacy Shield protections to personal information they collected while participating in the program, return the information, or delete it. Once the settlements appear in the Federal Register, you’ll have 30 days to file a public comment.
How can you help your company avoid a framework failure? Consider these three steps:
- Framework participation is voluntary, but don’t tout participation until your company’s application has been accepted.
- Set a reminder on your calendar to complete the required recertification process annually, as well as your annual verification.
Visit the FTC’s Privacy Shield page for more resources.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.