The U.S. Federal Trade Commission this month brought its first cases enforcing the EU-U.S. Privacy Shield, which was put in place last year to replace the U.S.-EU Safe Harbor framework.
In separate complaints, the FTC alleged that three U.S. companies violated the FTC Act by falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield, which allows companies to transfer consumer data from EU member states to the United States in compliance with EU law. Those three companies are HR software company Decusoft; printing services company Tru Communication; and Md7, which manages real estate leases for wireless companies.
The FTC also alleged that Decusoft falsely claimed participation in the Swiss-U.S. Privacy Shield framework, which took effect in April and is identical to the EU-U.S. framework. Despite the claims they made, all three companies failed to complete the certification process for the Privacy Shield, the FTC complaint states.
“Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce,” Acting FTC Chairman Maureen Ohlhausen said in a statement. “Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”
Each of the proposed orders consist of six parts, setting out the following compliance measures:
Part I of the proposed orders prohibits making misrepresentations about its membership in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization, including, but not limited to, the EU-U.S. Privacy Shield framework;
Parts II of the proposed orders requires acknowledgement of the order and dissemination of the order now and in the future to persons with responsibilities relating to the subject matter of the order.
Part III ensures notification to the FTC of any changes in corporate status and mandates that each company submit an initial report to the FTC.
Part IV requires each company to retain documents relating to its with the order for a five-year period.
Part V mandates that each company make available to the FTC information or subsequent reports, as requested.
Part VI is a provision “sunsetting” the order after 20 years, with certain exceptions.
The FTC said the purpose of the analysis is “to facilitate public comment” on the proposed orders; hey are “not intended to constitute an official interpretation” of the proposed complaints or orders or to modify the orders’ terms in any way.
The FTC brought 39 enforcement actions against companies under the previous U.S.-EU Safe Harbor Framework. The three recent cases join the four enforcement actions the FTC brought related to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.