In September of 2018, the Federal Trade Commission filed complaints against four companies for falsely claiming to be certified under the EU-U.S. Privacy Shield, alleging such acts constituted deceptive acts or practices violating Section 5(a) of the Federal Trade Commission Act. One company claimed on its website that it “complies with the EU-U.S. Privacy [S]hield framework” even though it never took the necessary steps to complete its application for certification under the program. The remaining three companies each obtained Privacy Shield certification in 2016, but then allowed their certifications to lapse and failed to remove statements on their websites about their participation in and compliance with the Privacy Shield program. Additionally, two of the companies also failed to abide by the Privacy Shield requirement that if companies stop participation in the Privacy Shield, they must affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
Today, the FTC gave final approval to settlements with the four companies. These settlements will remain in effect until November 15, 2038. As part of the settlements, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield framework. Each company also must comply with FTC reporting requirements, including requirements: (1) to deliver a copy of the settlement to various key personnel within the company and obtain signed acknowledgements of receipt from each individual; (2) to submit a detailed compliance report, sworn under penalty of perjury, to the FTC within sixty (60) days; and (3) to submit to compliance monitoring, including submitting future compliance reports, sworn under penalty of perjury, and producing any requested records within ten (10) days of receipt of a request for the same from an FTC representative. Notably, the settlements permit the FTC to monitor compliance with the settlements by using “all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to [the company] or any individual or entity affiliated with [the company], without the necessity of identification or prior notice.”
Two of the companies are also required to affirm to the Department of Commerce within ten (10) days, and annually thereafter, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program, protect it by other means authorized by the Privacy Shield framework, or return or delete the information within ten (10) days of the settlement.
Each violation of these settlements may result in a civil penalty of up to $41,484.
These settlements emphasize the importance of organizations not letting their Privacy Shield certifications lapse. Fey LLC will continue to monitor EU-U.S. Privacy Shield enforcement developments for our clients and interested parties.
Hannah Zimmerman, Fey LCC Associate Attorney