In recent months, the Federal Trade Commission has brought several enforcement actions related to compliance with the EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework. In January alone, the FTC reached agreements with six companies to settle allegations that they falsely claimed participation in the Privacy Shield Framework despite either never having been certified or letting their certification lapse. With these settlements, the FTC has brought twenty-seven administrative complaints and resulting consent agreements since the establishment of the Privacy Shield Framework in 2016.
The Privacy Shield Frameworks were negotiated by the US, EU, and Swiss governments in the wake of a decision by the EU Court of Justice that invalidated the “Safe Harbor” program that preceded Privacy Shield. The Framework is designed to support transatlantic commerce by providing companies in the US and Europe with a mechanism for complying with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the US. Companies in the US that wish to use Privacy Shield to transfer data to the US must self-certify to compliance with the Privacy Shield Principles to the US Department of Commerce, and the FTC is tasked with enforcing those certifications.
Pursuant to the settlements, the companies involved are prohibited from misrepresenting their participation in the Privacy Shield frameworks and other government-sponsored privacy or data security programs. The settlements also require company principals, managers and others with responsibility for the company’s representations regarding its participation in security programs to certify receipt of the FTC order.
For more information on the Privacy Shield Frameworks, see here, here, and here.