Four companies have just reached a proposed agreement with the Federal Trade Commission to settle allegations that they made false statements regarding their participation in the EU-U.S. Privacy Shield. These cases reflect the FTC’s continued commitment to enforcing the Framework. Two of the complaints also involve Privacy Shield obligations, which may deserve more attention from your company.
The Privacy Shield program provides a means for companies to transfer personal data from the European Union to the United States in compliance with EU data protection requirements. To participate, businesses must apply to the Department of Commerce and comply with the program’s self-certification requirements. One of the requirements is that companies recertify annually to maintain their status as members of the Privacy Shield. Participation is voluntary, but if a business claims to be in compliance, that representation (like other objective claims) must be true. According to the FTC’s enforcement record in this area, false statements may violate the FTC Act.
Colorado-based IDmission, LLC, which sells a cloud-based platform for businesses, claims it has “certified to the Department of Commerce that it complies with the Privacy Shield Framework.” The company began the certification process in October 2017 but has not yet completed it. According to the complaint, the Commerce Department has worked with the company to resolve issues with its application and warned the company to remove any statements about compliance until the company resolves the issues.
Three other companies let their certifications lapse without changing their representations on their websites, the FTC said. mResource LLC (doing business as Loop Works) is a Chicago recruiting and talent management firm. Despite claiming to be “a participant in the U.S. Department of Commerce’s EU-U.S. Privacy Shield,” its certification expired in December 2017.
New York-based VenPath, Inc. said it “participates in and has demonstrated its compliance with the EU-US Privacy Shield Framework.” But the data analytics company allowed its certification to lapse in October 2017.
Then there’s SmartStart Employment Screening, a background screening company in Florida. The company claims that it “complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce on the collection, use and retention of personal information from EU member states.” However, SmartStart’s certification expired in September 2017.
The four proposed complaints all contain similar allegations to other Privacy Shield cases: that the company falsely represented that it was a current participant in the EU-U.S. Privacy Shield framework.
But the proposed complaint against VenPath and SmartStart also includes a noteworthy allegation. When a company says it will comply with the EU-U.S. Privacy Shield Framework Principles, a key requirement is that if it later ceases to participate in the Privacy Shield, it must confirm with the Department of Commerce that the Principles will continue to apply to personal information received during its participation in the Privacy Shield. . The complaint alleges that VenPath and SmartStart failed to meet this ongoing obligation. According to the FTC, this is the second way the two companies have misrepresented their Privacy Shield compliance.
Proposed settlement serves as reminder that companies must complete initial certification if they say they are a Privacy Shield participant and Complete required annual recertification. Furthermore, if a company opts out of the program (of course voluntarily), it still maintains ongoing obligations with respect to the personal data it collected while representing itself as a participant.
The FTC is accepting comments on the proposed settlement until October 29, 2018.
