FTC Steps Up Privacy Shield Enforcement Actions


This week the FTC announced yet another batch of enforcement actions against companies for misrepresenting their participation in the EU-US and US-Swiss Privacy Shield Frameworks.  Since the beginning of the year, the FTC has settled actions against 12 companies for purported Privacy Shield lapses (see here, here, here, and here).  In addition to these enforcement actions, earlier this year the FTC issued warning letters to 13 companies who still claimed participation in the prior Safe Harbor regime.  The number of settlements and warning letters is greatly outpacing prior years, with this year’s actions exceeding the total number of actions in the two prior years combined.  In 2018, the FTC settled Privacy Shield actions against 5 companies (here and here), and in 2017, the FTC settled 3 such actions.  

What is causing the increase?  The European Union continues to express displeasure with the data transfer pact.  This year as part of the third annual review of Privacy Shield the European Commission called for more enforcement, specifically with respect to the substantive requirements of Privacy Shield, as well as greater transparency into U.S. enforcement actions relating to the Framework.  The FTC has obliged in an effort to show the EU that it is serious about maintaining the Framework.  While there continues to be enforcement actions asserting failure to complete certification or certification lapses, recent cases have alleged more substantive Privacy Shield violations, including failures to annually verify compliance with the Framework and failure to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

These actions are a reminder for the companies that have self-certified to the Privacy Shield Framework that the obligations are ongoing and include annual verification. 

If your organization is self-certified or considering joining Privacy Shield be sure to:

  • Complete all of the self-certification steps.  The Department of Commerce provides a “How-To” guide on the Privacy Shield site.  
  • Ensure privacy policy representations and assertions about Privacy Shield participation remain accurate or are promptly removed if the organization withdraws from the Framework.
  • Annually verify the organization’s Privacy Shield attestations and assertions through self-assessments or outside compliance reviews in accordance with Verification Supplemental Principle.  Don’t forgot the signed verification or attestation statement.
  • And, of course, comply with all the Privacy Shield’s substantive Principles!

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:


WilmerHale on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.