FTC Seeks to Hold Companies to GDPR Promises

Foley Hoag LLP - Security, Privacy and the Law
Contact

Foley Hoag LLP - Privacy & Data Security

As if having to deal with all the EU’s Data Protection Authorities wasn’t challenge enough for companies trying to comply with GDPR, the FTC has now asserted that it has a role in GDPR enforcement.  In particular, the FTC says it has a role in making sure that US companies live up to the GDPR-related promises that they make.  This position came to fruition in a proposed FTC settlement with California-based employment training company, ReadyTech Corporation.  Here’s FTC’s take on the matter:

Privacy Shield gives companies a way to transfer personal data from the EU to the United States, consistent with EU data protection requirements. To participate in Privacy Shield (or the corresponding Swiss-U.S. Framework), companies must apply to the U.S. Department of Commerce and follow the program’s self-certification requirements. Participation is voluntary, but a company’s representations about Privacy Shield compliance must be true.

Here’s what ReadyTech said in its Privacy Policy:

  • “ReadyTech is in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.”

But according to the FTC, although ReadyTech began the Privacy Shield application process in October 2016, it didn’t follow through with the necessary steps. Thus, the FTC alleged that ReadyTech’s statement in its Privacy Policy was false or misleading.

To settle the case, the company has agreed not to misrepresent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group, or a standard-setting organization. The FTC is accepting comments about the proposed settlement until August 1, 2018.

What does the case mean for your company?

Deceptive claims about Privacy Shield participation are actionable under the FTC Act. Like any other objective representation, companies must have a reasonable basis to support what they say about Privacy Shield. If a business says it complies with the framework, that must be true. If it says it’s “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework,” it must be actively taking the steps necessary to complete the process. Your company doesn’t have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.

Be the in-house Privacy Shield hero. If your company claims to participate in Privacy Shield, but you haven’t finished the process or your certification has lapsed, you have two choices:
1) complete the process; or 2) remove the false statement. To earn Privacy Shield props from your company, implement a simple system to keep your Privacy Shield self-certification current. The Commerce Department’s list of active Privacy Shield participants includes the date by which you must submit your annual self-certification. Mark it on your calendar so you can recertify on time.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.