The Federal Trade Commission has entered into a settlement with NTT Global Data Centers, Inc., which, during the relevant period, was known as RagingWire Data Centers, Inc. In its November 2019 complaint, the FTC alleged that RagingWire claimed participation in the EU-US Privacy Shield Framework for at least 10 months after its certification had lapsed. The complaint also alleges that RagingWire failed to adhere to the requirements of the Privacy Shield program both before and after its certification lapsed. The FTC filed the complaint after sending two warning letters.
The settlement requires NTT to hire a third-party assessor to verify the company’s adherence to its Privacy Shield promises, and prohibits the company from misrepresenting its participation in any privacy or data security program sponsored by the government or a self-regulatory organization.
In Business Blog commentary following announcement of the settlement, the FTC noted that the NTT case suggests four compliance tips for other companies:
1. Keep Privacy Shield statements up to date, and make sure that express or implied statements about Participation in the Privacy Shield accurately reflect the current status of the organization.
2. Honor the substantive provisions of the Privacy Shield, including the verification requirement.
3. Complete the annual recertification in a timely manner.
4. Follow the proper procedures for withdrawing from the Privacy Shield, including obligations regarding the data collected during the organization’s membership in the program.
To date, the FTC has brought about 40 Privacy Shield-related enforcement actions.