The Federal Trade Commission recently announced that it had settled charges against three companies alleged to have falsely claimed participation in Privacy Shield. Privacy Shield supports EU – U.S. transfers of personal data by helping U.S. companies demonstrate compliance with European Union data transfer rules. Companies participating in the program commit to meet specific program requirements designed to protect and limit use of personal data. These requirements include notice, choice, controls on onward transfers of data, independent recourse, and data security. Privacy Shield also requires companies to publicly self-certify by completing an official registration at privacyshield.gov.
The FTC alleged that the three companies, while claiming participation in Privacy Shield in their online privacy policies, had nevertheless “failed to complete the certification process for the Privacy Shield.” The FTC alleged that these acts constituted a wrongful “deceptive” act under the FTC Act.
These cases represent the first enforcement actions brought by the FTC regarding the Privacy Shield, which has been in place for a little over a year. In settling the cases, the FTC does not report the assessment of any fine or other monetary penalty. Upon final approval of the settlement by the FTC, the companies will be subject to reporting, notice, record-keeping, and FTC monitoring requirements extending up to 20 years.