As predicted, the Federal Trade Commission (“FTC”) is keeping track of misrepresentations regarding privacy shield certification and compliance, and taking violations seriously. On Thursday, the FTC announced that it reached settlements with four different companies, doubling its total number of privacy shield-related actions in one fell swoop.
The FTC alleged that three of the companies — SmartStart, VenPath, and mResource — allowed their certifications to lapse, but left statements on their websites declaring their Privacy Shield participation. The FTC alleged that the fourth, IDmission, applied for Privacy shield certification but never completed the process despite stating on its website that it was compliant.
The enforcement actions come at a precarious time for Privacy Shield, just a few months after the European Parliament criticized the EU-US Privacy Shield as failing to provide an adequate level of protection for the transfer of personal data. The Members of the European Parliament ("MEPs") requested that the E.U. Commission suspend the data transfer arrangement until the U.S. authorities— the Department of Commerce (the “DOC”) and the FTC — come into compliance. The criticism followed the Facebook-Cambridge Analytica data breach, which involved two companies that are Privacy Shield certified. Specifically, MEPs called for better monitoring of Privacy Shield compliance. Just a few weeks later, the EU Commissioner for Justice echoed MEPs and warned that the U.S. Commerce Secretary that the U.S. has three months to comply with the EU’s demands regarding Privacy Shield, including the appointment of an ombudsman to deal with E.U. citizen privacy-related complaints.
Yesterday’s slew of Privacy Shield settlements is a clear indication from the FTC and the DOC that they are actively monitoring Privacy Shield compliance. Time will tell if this level of enforcement is enough for MEPs and the European Commission, especially given the other concerns regarding the adequacy of the agreement’s data protection mechanisms and the recently passed CLOUD Act. Regardless, Privacy Shield certified companies should ensure their compliance as investigating violations of the agreement is clearly becoming a priority for the FTC and may ramp up even more in an effort to save the agreement.
“We have now brought enforcement actions against eight companies related to the Privacy Shield, and we will continue to aggressively enforce the Privacy Shield and other cross-border privacy frameworks.”