Is the EU-US Privacy Shield framework in your compliance picture?

Share This Page

Four companies just entered into proposed agreements with the FTC to settle charges that they made misrepresentations about their participation in the EU-U.S. Privacy Shield. The cases reflect the FTC’s continuing commitment to enforcing the framework. Two of the complaints also focus on a Privacy Shield obligation that may be worth more of your company’s attention.

Privacy Shield is a program that gives companies a way to transfer personal data from the EU to the United States consistent with EU data protection requirements. To participate, businesses must apply to the Department of Commerce and follow the program’s self-certification requirements. One requirement is that companies re-certify every year to maintain their status as Privacy Shield members. Participation is voluntary, but if a business says it’s in compliance, that representation – like other objective claims – must be truthful. As the FTC’s record of law enforcement in this area establishes, misrepresentations may violate the Federal Trade Commission Act.

Colorado-based IDmission, LLC, which sells a cloud-based platform for businesses, claimed it had “certified to the Department of Commerce that it adheres to the Privacy Shield framework.” The company started the certification process in October 2017, but didn’t finish. According to the complaint, the Department of Commerce had worked with the company to address issues with its application and warned the company to take down any claims about compliance until the company addressed the issues.

Privacy Shield Framework logoThe FTC alleges three other companies let their certifications lapse without modifying the representations on their websites. mResource LLC, which does business as Loop Works, is a Chicago recruiting and talent management company. Despite claiming it “is a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield,” its certification expired in December 2017.

New York-based VenPath, Inc., said it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.” But the data analytics company allowed its certification to lapse in October 2017.

Then there’s SmartStart Employment Screening, Inc., a Florida background screening business. The company claimed it “complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.” However, SmartStart’s certification expired in September 2017.

The four proposed complaints all include an allegation similar to other Privacy Shield cases: that the company falsely represented that it’s a current participant in the EU-U.S. Privacy Shield framework.

But the proposed complaints against VenPath and SmartStart include an additional allegation of note. When a company represents it will abide by the EU-U.S. Privacy Shield framework principles, one key requirement is that if at a later date it stops participating in Privacy Shield, it must affirm to the Department of Commerce that it will continue to apply the principles to personal information it received during the time it did participate. The complaint alleges that VenPath and SmartStart didn’t satisfy that continuing obligation. According to the FTC, that’s a second way in which those two companies misrepresented their Privacy Shield compliance.

The proposed settlements serve as a reminder that if companies represent that they’re Privacy Shield participants, they must complete their initial certification and follow through with required annual re-certifications. In addition, if a company chooses to withdraw from the program – it’s voluntary, of course – it nonetheless maintains a continuing obligation regarding personal data it collected during the time it represented itself as a participant.

The FTC is accepting comments about the proposed settlements until October 29, 2018.

Comments

Thanks FTC.

can you help me to understand whats all this means?

My company, Valtech Solutions Inc. applied for the Privacy Shield in April 2018. We received a request for additional documentation and filing fees in May 2018. We responded on May 24, 2018 and paid the additional filing fees. After not hearing anything further, I submitted a request for information in September 2018. I still haven't received the courtesy of a reply or any acknowledgement of the status of our shield. Kindly provide me with an update of notification of acceptance of the shield.

The Privacy Shield program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, not the Federal Trade Commission. Please contact them for more information.

Why isn't any body helping me

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.