A Look Back at 2018 Privacy Shield Enforcement

Liisa Thomas
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.

This last point was a particular concern for both the EU the US Department of Commerce when the program was put in place was the possibility of companies saying that they participated in the program when, in fact, they did not.  Illustrating enforcement efforts in this area, in July, the FTC brought action against ReadyTech an online training company, for saying that “it was in the process of certifying” compliance with the program when in fact, although the application was filed with the Department of Commerce, the company did not take the remaining steps needed to participate. The settlement with ReadyTech was finalized in October. In four similar cases, the FTC alleged that IDmission, mResource, SmartStart Employment Screening, and VenPath also each stated incorrectly that they were certified under the program. IDmission, however, like ReadyTech, had started but not completed the certification process. mResource, SmartStart and VenPath had been certified previously, but their certifications had lapsed.

Putting it Into Practice: The EU will be reviewing Privacy Shield’s sufficiency again at the end of 2019. In anticipation of this review we expect to see ongoing enforcement from the FTC, in particular for companies whose policies state they are participating in the program when they have not been certified, or their certifications have lapsed.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide