FTC: Four companies allegedly misrepresented participation in EU-U.S. Privacy Shield

The EU-U.S. Privacy Shield framework enables companies to transfer consumer data legally from European Union countries to the United States. U.S. companies seeking to transfer personal data from Europe into the United States must follow stringent data privacy compliance obligations, however.

In separate actions, the FTC settled Privacy Shield cases against the following four companies:

• Click Labs, a website and mobile app services provider;
• Incentive Services, a developer of service award and incentive programs for employers;
• Global Data Vault, a data storage and recovery services provider; and
• TDARX, an IT services provider.

According to the FTC, both Click Labs and Incentive Services falsely claimed to participate not only in the EU-U.S. Privacy Shield framework, but also falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law. Specifically, the FTC said these companies submitted self-certification applications to the Department of Commerce for both the EU-U.S. and Swiss-U.S. frameworks but failed to finalize them, and yet claimed on their websites they were in compliance with the frameworks.

In its cases against Global Data and TDARX, the FTC alleged the companies continued to claim participation in the EU-U.S. Privacy Shield after allowing their certifications to lapse. Furthermore, the complaints allege while they were participants, they failed to perform either the annual self-assessment or outside compliance review verification required of all Privacy Shield participants.

Compliance lessons

The settlements bring forth some valuable compliance lessons on how to avoid non-compliance failures with the framework. In a blog post, Leslie Fair, a senior attorney with the FTC’s Bureau of Consumer Protection, recommends the following measures:

• Don’t tout voluntary participation until your company’s application has been accepted;
• Set a reminder on your calendar to complete the required recertification process annually, as well as your annual verification;
• If the company chooses to withdraw from participation, remove Privacy Shield references from your website, including your privacy policy. Furthermore, think through how your company will appropriately protect, or securely return or delete, information collected while a participant.

Settlement details

Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government or any self-regulatory or standard-setting organization. As part of their settlements, Global Data and TDARX must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program or return or delete the information.

In June, the FTC sent warning letters to 13 other companies that falsely claimed they participate in the U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively. Including these latest actions, the FTC has now brought a total of 21 enforcement actions related to the EU-U.S. Privacy Shield framework.