FTC cases affirm commitment to Privacy Shield

Share This Page

The EU-U.S. Privacy Shield Framework has been in place for more than a year and the Swiss-U.S. Privacy Shield went into effect in April 2017. Self-certification programs like Privacy Shield offer benefits to business and protections for consumers. The FTC enforces the promises companies make when they join the frameworks, as well as false claims of participation. In three separate law enforcement actions, the FTC has alleged that companies made false claims about Privacy Shield participation. But the cases add two new dimensions that should be of interest to your business.

Privacy Shield offers companies on both sides of the Atlantic a mechanism for complying with the EU’s data protection requirements when transferring personal data from the EU to the United States. To participate, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements. (The requirements for the Swiss-U.S. framework are largely the same.) The Department of Commerce maintains a site where it lists the companies that have current self-certifications.

According to the FTC complaint, Decusoft, LLC, a New Jersey-based company that develops software for use in HR applications, falsely stated in its privacy policy that it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.” The FTC’s action against California printing company Tru Communication, Inc. – customers may know them as TCPrinting.net – alleges that the business said in its privacy policy that it “will remain compliant and current with Privacy Shield at all times,” when that wasn’t the case. The complaint against Md7, LLC, a California company that assists members of the wireless industry with real estate matters, charges that Md7’s privacy policy falsely stated that it “complies with the US-EU Privacy Shield Framework.”

The FTC has brought dozens of actions challenging misrepresentations about participation in privacy or security frameworks. What’s different this time around?

First, although the FTC had taken action against false claims about participation in the U.S.-EU Safe Harbor Framework, these are the first cases addressing the new EU-U.S. Privacy Shield Framework introduced on July 12, 2016.

Second, earlier FTC actions challenged false framework participation claims by companies that either had never participated or had participated at one time, failed to comply with the annual self-certification requirement, and still said they participated. In the just-announced cases, however, the FTC alleges that the companies started the application for the EU-U.S. Privacy Shield, didn’t complete the necessary steps, and yet falsely claimed to be participants. (The Decusoft complaint charges similar conduct with regard to the Swiss-U.S. framework, too.)

The orders in the three proposed settlements prohibit misrepresentations about compliance with any privacy or security program sponsored by a government or a self-regulatory or standard-setting group. The FTC is accepting public comments about the settlements until October 10, 2017.

What can other companies learn from these cases?

The FTC remains committed to challenging false promises about Privacy Shield participation.  Frameworks like Privacy Shield help American businesses remain competitive while protecting consumers’ data, but only if companies take their certification responsibilities seriously. The programs are voluntary, but like any other express or implied representation a company makes, claims about participation have to be truthful.

Avoid a framework false start.  If you apply to participate in Privacy Shield, follow through. If you apply but then decide not to participate, don’t tout your compliance in your privacy policy or elsewhere on your website. Furthermore, if the Department of Commerce contacts your company about a deficient or incomplete application, it’s wise to heed the warning by completing the self-certification process in a timely manner or by removing any false statement regarding participation in the Privacy Shield Framework.



I doubt these cases are going impress the EU Data Protection Supervisor Giovanni Buttarelli or Chairman Moraes . The Congress just got rid of the FCC rule prohibiting collections. These cases concern controllers. The EU is worried about data subjects. Is there anything being done about their other concerns like the bulk collection of data or automated decision making? If the Privacy Shield make it past the annual review in the next few weeks, it is doubtful that it will survive the GDPR effective date next May. It was only meant as a reaction to Schrems, not as a response to the GDPR. The FTC does some great work. They shouldn't waste their time on this temporary fudge..

When a person's privacy is violated and their whole life is turned upside down, the people responsible should have to pay for every bit of turmoil caused, especially when it comes to the individuals knowing what they are doing and doing it for self gratification.

This is a shame that individuals have to get into others business , furthermore when a case such as this multitude happens and there are injured parties then by all means make examples out of them for the next ones!

i has been eonber the day after mothers day my phone been hack my cards been empty and im a single mother with 2 kids trying to start a cleaning business . i wish I knew who
this was . but I will give more detail in report

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.