FTC warns of false compliance with EU-U.S. Privacy Shield

The EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks establish processes to allow companies to transfer consumer data from EU countries and Switzerland to the United States in compliance with EU and Swiss law, respectively. Privacy Shield participation is voluntary, but the FTC can bring an enforcement action against companies that make deceptive representations about their status, as in SecurTest’s case.

According to the FTC’s complaint, SecurTest initiated a Privacy Shield application in September 2017 with the U.S. Department of Commerce. Shortly after that, the company added language at the bottom of its webpage to say its application was pending.

However, SecurTest did not complete the steps necessary to be certified as complying with the frameworks, and yet until July 2018, when the FTC raised the issue, the company claimed in its privacy policy that it “complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework” and that it “has certified to the Department of Commerce,” which administers both frameworks, that it “adheres to the Privacy Shield Principles.”

“By failing to complete certification, SecurTest was not a certified participant in the frameworks, despite representations to the contrary on its website,” the FTC said.

As part of its proposed settlement with the FTC, SecurTest is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.

Warning shots fired

The FTC also sent warning letters to 13 other companies that falsely claimed they participate in the U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively. These Safe Harbor agreements are no longer in force, and the last valid self-certifications for either agreement have expired.

The FTC called on the 13 companies to remove from their websites, privacy policies, or any other public documents any statements claiming they participate in either Safe Harbor agreement. If the companies fail to act within 30 days, the FTC warned it would take appropriate legal action.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with SecurTest was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on regulations.gov.

The FTC also sent warning letters to two companies for claiming in their privacy policies that they are participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system, even though they are not certified participants. The APEC CBPR system is an initiative to enhance the protection of consumer data that moves among the APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses.

To become a certified participant, a designated third party, known as an APEC-recognized Accountability Agent, must review and certify the company is compliant with the CBPR program requirements.

The FTC’s letter instructed the companies to remove from their websites, privacy policies, or any other public documents or statements that might be construed as claiming participation or involvement in the APEC CBPR system unless they prove they have undergone the requisite review and certification. The FTC warned it would take appropriate legal action if the companies fail to provide a timely and satisfactory response.

Compliance lessons

In a blog post on the FTC’s website, Lesley Fair, a senior attorney with the FTC’s Bureau of Consumer Protection, wrote the proposed settlement and warning letters offer the following three lessons for other companies:

Avoid a false start. “Until your application has been finalized and approved, it’s deceptive to suggest to consumers—through words, logos, or any other means—that your company is a participant,” Fair wrote.

Privacy Shield participation requires ongoing compliance. “Privacy Shield participation isn’t a one-and-done box to check. A key component is the annual self-certification process, which requires you to take a current look at your company’s practices,” Fair wrote. “Letting your certification lapse renders your participation claims false. The wiser practice is to add an annual reminder on your calendar to recertify with the Department of Commerce before the expiration date of your company’s current certification.”

Don’t try to dock in the Safe Harbor. Check the company’s website and other documentation to make sure it’s not touting its participation in the now-defunct U.S.-EU or U.S.-Swiss Safe Harbor Frameworks.