The FTC entered into consent orders with four separate companies which falsely claimed to be certified under the EU-U.S. Privacy Shield framework, which governs the ability of companies to transfer personal data outside of the EU.
In 1995, the EU enacted a Directive on Data Privacy which created requirements for privacy and the protection of personal data for EU citizens. Among other things, the Directive prohibits most transfers of personal data outside the EU, unless the EU has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data. The EU and the U.S. Department of Commerce negotiated the Privacy Shield framework, which allows U.S. companies to receive certifications that they comply with the EU’s privacy directive, and in turn allows them to transfer covered data outside of the EU. To become certified, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield framework and related requirements that have been deemed to meet the EU’s adequacy standard. The Privacy Shield framework went into effect in 2016.
Each of the companies entered into a consent order with the FTC to resolve its complaint. In each case, the companies agreed to correct any inaccurate statements about their compliance with the Privacy Shield framework and to not make further false or misleading statements about compliance with the Privacy Shield framework. While there was no monetary penalty, the companies also agreed—for 20 years—to provide information to their employees about the consent order, to provide compliance reports and notices to the FTC, to engage in certain recordkeeping practices, and to engage in additional compliance monitoring.
For more information on the consent orders, click HERE.