Four companies just entered into proposed agreements with the FTC to settle charges that they made misrepresentations about their participation in the EU-U.S. Privacy Shield. The cases reflect the FTC’s continuing commitment to enforcing the framework. Two of the complaints also focus on a Privacy Shield obligation that may be worth more of your company’s attention.
Privacy Shield is a program that gives companies a way to transfer personal data from the EU to the United States consistent with EU data protection requirements. To participate, businesses must apply to the Department of Commerce and follow the program’s self-certification requirements. One requirement is that companies re-certify every year to maintain their status as Privacy Shield members. Participation is voluntary, but if a business says it’s in compliance, that representation – like other objective claims – must be truthful. As the FTC’s record of law enforcement in this area establishes, misrepresentations may violate the Federal Trade Commission Act.
Colorado-based IDmission, LLC, which sells a cloud-based platform for businesses, claimed it had “certified to the Department of Commerce that it adheres to the Privacy Shield framework.” The company started the certification process in October 2017, but didn’t finish. According to the complaint, the Department of Commerce had worked with the company to address issues with its application and warned the company to take down any claims about compliance until the company addressed the issues.
The FTC alleges three other companies let their certifications lapse without modifying the representations on their websites. mResource LLC, which does business as Loop Works, is a Chicago recruiting and talent management company. Despite claiming it “is a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield,” its certification expired in December 2017.
New York-based VenPath, Inc., said it “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.” But the data analytics company allowed its certification to lapse in October 2017.
Then there’s SmartStart Employment Screening, Inc., a Florida background screening business. The company claimed it “complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.” However, SmartStart’s certification expired in September 2017.
The four proposed complaints all include an allegation similar to other Privacy Shield cases: that the company falsely represented that it’s a current participant in the EU-U.S. Privacy Shield framework.
But the proposed complaints against VenPath and SmartStart include an additional allegation of note. When a company represents it will abide by the EU-U.S. Privacy Shield framework principles, one key requirement is that if at a later date it stops participating in Privacy Shield, it must affirm to the Department of Commerce that it will continue to apply the principles to personal information it received during the time it did participate. The complaint alleges that VenPath and SmartStart didn’t satisfy that continuing obligation. According to the FTC, that’s a second way in which those two companies misrepresented their Privacy Shield compliance.
The proposed settlements serve as a reminder that if companies represent that they’re Privacy Shield participants, they must complete their initial certification and follow through with required annual re-certifications. In addition, if a company chooses to withdraw from the program – it’s voluntary, of course – it nonetheless maintains a continuing obligation regarding personal data it collected during the time it represented itself as a participant.
The FTC is accepting comments about the proposed settlements until October 29, 2018.