In three separate law enforcement actions, the FTC has alleged that companies made false claims about Privacy Shield participation. In the three proposed settlements open to comment until October 10, the companies will be prohibited to misrepresent users about their compliance with any privacy or security program.
The EU-U.S. Privacy Shield Framework has been in place for more than a year and the Swiss-U.S. Privacy Shield went into effect in April 2017. It offers companies a mechanism for complying with the EU’s data protection requirements when transferring personal data from the EU to the United States. To participate, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements. The FTC enforces the promises companies make when they join the frameworks, as well as false claims of participation.
According to the FTC complaint, Decusoft, LLC, a New Jersey-based company that develops software for use in HR applications, California printing company Tru Communication, Inc. and MD7 LLC a California company that assists members of the wireless industry with real estate matters, falsely stated in their privacy policy that they were compliant with or participated to the Privacy Shield program (i.e. “participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework”, “will remain compliant and current with Privacy Shield at all times,” and “complies with the US-EU Privacy Shield Framework”.)
Even though the FTC had already taken action against false claims about participation in the US EU Safe Harbor Framework, this is the first time it addresses claims about the new Privacy Shield.
The orders in the three proposed settlements prohibit misrepresentations about compliance with any privacy or security program sponsored by a government or a self-regulatory or standard-setting group. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through October 10.
This post is also available in fr_FR.