In three separate law enforcement actions, the FTC has alleged that companies made false claims about Privacy Shield participation. In the three proposed settlements open to comment until October 10, the companies will be prohibited to misrepresent users about their compliance with any privacy or security program.
The EU-U.S. Privacy Shield Framework has been in place for more than a year and the Swiss-U.S. Privacy Shield went into effect in April 2017. It offers companies a mechanism for complying with the EU’s data protection requirements when transferring personal data from the EU to the United States. To participate, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements. The FTC enforces the promises companies make when they join the frameworks, as well as false claims of participation.
Even though the FTC had already taken action against false claims about participation in the US EU Safe Harbor Framework, this is the first time it addresses claims about the new Privacy Shield.
The orders in the three proposed settlements prohibit misrepresentations about compliance with any privacy or security program sponsored by a government or a self-regulatory or standard-setting group. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through October 10.