Want to be a Privacy Shield Hero for your company? Four settlements proposed by the U.S. Federal Trade Commission (FTC) recommend actions you can take to ensure your business complies with the Privacy Shield.
The EU-US Privacy Shield framework enables companies to lawfully transfer consumer data from EU countries to the United States. (There is also a Swiss-U.S. framework.) The Commerce Department administers both frameworks, while the Federal Trade Commission challenges companies for false or deceptive statements about their participation or compliance.
In separate complaints, the FTC charged four companies: Click Labs, Inc., a Seattle-based provider of website and application services; Incentive Services, a Minnesota-based developer of employee compensation programs; Global Data Vault, a Dallas-based company Data storage and recovery company; and North Carolina IT services company TDARX – made misleading privacy claims.
The FTC said Click Labs and Incentive Services submitted self-certification applications to the Commerce Department for the EU-U.S. and Swiss-U.S. frameworks, but were unable to finalize them. Nonetheless, both companies claim to be in compliance on their websites.
According to the case against Global Data Vault and TDARX, although the companies were once EU-U.S. Privacy Shield participants, they allowed their certifications to lapse—meaning that their statements about their identities in their privacy policies were false. . Additionally, the complaint alleges that while they were participants, they failed to perform the annual self-assessment or external compliance review verification required of all Privacy Shield participants. What about the data they receive during their participation? The framework provides former participants with three options: confirm that the information continues to comply with privacy protection principles, return the information, or delete the information. The FTC said Global Data Vault and TDARX failed to do any of these three things.
The proposed settlement prohibits the company from misrepresenting its participation in or compliance with the EU-U.S. Privacy Shield Framework or any other privacy or data security program sponsored by a government, self-regulatory organization or standards-setting organization. In addition, Global Data Vault and TDARX must apply Privacy Shield protections, return the information, or delete the personal information they collect while participating in the program. Once the settlement appears in the Federal Register, you will have 30 days to submit public comments.
How can you help your company avoid framework failure? Consider these three steps:
- Participation in the Framework is voluntary, but please do not advertise participation until your company’s application has been accepted.
- Set reminders on your calendar to complete the required recertification process and annual verification each year.
- If your business opts out of participating, please remove Privacy Shield references from your website, including your Privacy Policy. Additionally, please consider carefully how your company will appropriately protect (or securely return or delete) the information collected while you are a participant.
Please visit the FTC’s Privacy Shield page for additional resources.
