The FTC has recently announced settlements with four companies, in separate actions, over allegations that they misrepresented their participation in the EU-U.S. Privacy Shield framework in violation of Section 5 of the FTC Act.
The EU-U.S. Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries to the U.S. in compliance with EU law. For companies to engage in this framework, they must annually self-certify to the U.S. Department of Commerce that they comply with the Privacy Shield requirements. In each of the four cases, the FTC alleged that the company represented that it was a current participant in the Privacy Shield when in fact the company was not certified at that time to participate in the Privacy Shield. The FTC alleged that two of the companies had never been certified and that two of the companies had been certified but allowed their certification to lapse.
Under each of the four settlements, each company is prohibited from misrepresenting its Privacy Shield participation or participation in any other privacy or data security program sponsored by a government, self-regulatory, or standard-setting organization. With regard to the companies that allegedly allowed their certification to lapse, the settlements also dictate that the company must continue to apply the Privacy Shield protections to, or otherwise return and delete, the personal information collected while participating in the Privacy Shield framework.
The consent agreements are currently proposals, subject to public comment, after which the FTC will decide where to finalize the consent orders.