Nearly three years after the EU-U.S. Privacy Shield framework replaced the U.S.-EU Safe Harbor as a mechanism to transfer personal data from the European Union to the United States, the Federal Trade Commission (FTC) continues to monitor companies’ claims regarding participation. As we previously reported, the FTC has taken actions against several companies over the years for stating they were self-certified to the Privacy Shield framework when they either had never joined or when their certification had lapsed. Recently, the FTC settled with background screening company SecurTest, Inc over allegations that the company violated Section 5 of the FTC Act when it falsely claimed participation in the EU-U.S. Privacy Shield and identical Swiss-U.S. Privacy Shield frameworks.
According to the FTC’s complaint, SecurTest applied to the Department of Commerce (DOC) to participate in the Privacy Shield but never completed the process. Under the settlement terms, SecurTest must refrain from misrepresenting its participation in the Privacy Shield or any other privacy program sponsored by a government agency, self-regulatory organization, or standard.
The FTC also sent warning letters to 13 other companies that falsely claimed membership in the U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks, which no longer exist, and to two companies that stated they took part in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system when they didn’t. The FTC’s actions confirm the importance of assuring that claims about participation in the Privacy Shield or any other privacy program are made only when an application has been approved and certifications are current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.
In its report to the European Parliament and the Council on the second annual Privacy Shield review conducted last year, the European Commission highlighted actions taken by the DOC and FTC, such as routine monitoring of companies for compliance and enforcement actions, and concluded that the United States continues to ensure that personal data transferred under the Privacy Shield meets EU adequacy criteria. The Commission reported that it will continue to monitor the effectiveness of the program and actions taken by the DOC and FTC. The validity of the Privacy Shield as an international data transfer mechanism will likely remain under scrutiny in both the U.S. and in Europe. But with some 4,000 companies now listed as certified on the DOC’s website, the Privacy Shield program remains a vitally important data transfer mechanism to many U.S. businesses. It is this very importance that means the FTC will continue to closely monitor adherence to assure that those claiming to be certified to the framework indeed meet the Privacy Shield criteria and that the program retains its integrity.