The EU-U.S. Privacy Shield Framework has been in place for more than a year and the Swiss-U.S. Privacy Shield went into effect in April 2017. Self-certification programs like Privacy Shield offer benefits to business and protections for consumers. The FTC enforces the promises companies make when they join the frameworks, as well as false claims of participation. In three separate law enforcement actions, the FTC has alleged that companies made false claims about Privacy Shield participation. But the cases add two new dimensions that should be of interest to your business.
Privacy Shield offers companies on both sides of the Atlantic a mechanism for complying with the EU’s data protection requirements when transferring personal data from the EU to the United States. To participate, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements. (The requirements for the Swiss-U.S. framework are largely the same.) The Department of Commerce maintains a site where it lists the companies that have current self-certifications.
The FTC has brought dozens of actions challenging misrepresentations about participation in privacy or security frameworks. What’s different this time around?
First, although the FTC had taken action against false claims about participation in the U.S.-EU Safe Harbor Framework, these are the first cases addressing the new EU-U.S. Privacy Shield Framework introduced on July 12, 2016.
Second, earlier FTC actions challenged false framework participation claims by companies that either had never participated or had participated at one time, failed to comply with the annual self-certification requirement, and still said they participated. In the just-announced cases, however, the FTC alleges that the companies started the application for the EU-U.S. Privacy Shield, didn’t complete the necessary steps, and yet falsely claimed to be participants. (The Decusoft complaint charges similar conduct with regard to the Swiss-U.S. framework, too.)
The orders in the three proposed settlements prohibit misrepresentations about compliance with any privacy or security program sponsored by a government or a self-regulatory or standard-setting group. The FTC is accepting public comments about the settlements until October 10, 2017.
What can other companies learn from these cases?
The FTC remains committed to challenging false promises about Privacy Shield participation. Frameworks like Privacy Shield help American businesses remain competitive while protecting consumers’ data, but only if companies take their certification responsibilities seriously. The programs are voluntary, but like any other express or implied representation a company makes, claims about participation have to be truthful.