For businesses that choose to participate, the EU-U.S. Privacy Shield framework establishes a process to allow them to transfer consumer data from European Union countries to the United States in compliance with EU law. In return, companies must follow the framework’s requirements. The FTC has announced proposed settlements with companies that claimed to participate and yet failed to complete the steps necessary to get certification from the Department of Commerce, which administers the Privacy Shield framework. Another case raises an additional concern.
Four companies – DCR Workforce, a Florida management software compan; Thru, Inc., a California cloud-based file transfer software provider; LotaData, a San Francisco business that analyzes mobile users’ location information; and TrueFace.ai, a Santa Monica-based company that offers facial recognition and identity verification services – all claimed on their websites to be certified under Privacy Shield. But according to the FTC, they submitted applications, but didn’t finish the certification process. That rendered the statements on their sites false, in violation of the FTC Act.
A fifth company – EmpiriStat, a Maryland-based business that provides support services for clinical trials – was once certified under Privacy Shield, but allowed its certification to lapse in 2018. And yet the company continued to say on its site that it “has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.” What’s more, the complaint charges that EmpiriStat falsely claimed it complied with the Privacy Shield principles when, in fact, it failed to verify that its published policy regarding information received from the EU was accurate and completely implemented – something the framework requires companies to do annually. The FTC alleges the company also failed to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they’ll continue to apply Privacy Shield protections to personal information collected while they were in the program.
Proposed settlements in all five cases prohibit misrepresentation about the extent to which the companies participate in any privacy or data security program sponsored by a government or any self-regulatory or standard-setting group. The EmpiriStat order also requires the company to: 1) continue applying Privacy Shield protections to personal information it collected while participating in the program; 2) protect the data by another means allowed by the framework; or 3) return or delete the information within 10 days of the order. Once the proposed settlements appear in the Federal Register, the FTC will accept public comments for 30 days.
What messages should companies take from the dozens of Privacy Shield cases the FTC has brought to date?
The FTC means business when businesses make false statements about Privacy Shield participation. The FTC is committed to using the Section 5’s prohibition on deceptive practices to challenge misrepresentations about Privacy Shield participation. The program is voluntary, but if your company says it participates, you must live up to its requirements.
Finish what you start. Whether it’s your golf swing or your company’s Privacy Shield application, it’s all in the follow-through. Don’t claim to participate in the framework until you’ve completed the application and have been certified by the Department of Commerce.
Privacy Shield participation comes with continuing obligations. One important framework requirement is annual recertification. To keep your company on the right side of the law, put a recertification reminder on your calendar now. (Yes, now.) Furthermore, if you decide at a later date not to participate, immediately change what you say on your website. In addition, you have ongoing responsibilities regarding data collected while you were a participant. Savvy companies follow the Department of Commerce’s requirements for withdrawing from the program.