Four companies have agreed to settle allegations by the Federal Trade Commission that they falsely claimed certification under the EU-U.S. Privacy Shield framework and that two of these companies failed to abide by a key provision of the framework.
In separate complaints, the FTC alleges that IDmission, mResource (doing business as Loop Works), SmartStart Employment Screening, and VenPath falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law.
“Companies need to know that if they fail to honor their Privacy Shield commitments, or falsely claim participation in the Privacy Shield framework, we will hold them accountable,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement. “We have now brought enforcement actions against eight companies related to the Privacy Shield, and we will continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.” The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework.
The FTC alleges that IDmission, which offers cloud-based technology platform services, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. Despite this, the company claimed on its website that it “complies with the EU-U.S. Privacy shield framework.”
According to the FTC complaints, SmartStart, VenPath and mResource each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. Despite this, all three companies included statements posted on their websites that they participated in the Privacy Shield. VenPath is a data analytics firm, while SmartStart offers employment and background screening services, and mResource provides talent management and recruitment services.
The FTC further alleges that VenPath and SmartStart failed to abide by the Privacy Shield requirement that companies that stop participation in the Privacy Shield affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
As part of the proposed settlements with the FTC, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order.
The Commission vote to issue the administrative complaints and to accept the proposed consent agreements was 4-0-1. Commissioner Christine S. Wilson did not participate.
The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning Sept. 27 and continuing through Oct. 29, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.