FTC to EU: We Take Our Privacy Shield Duties Seriously
The Federal Trade Commission (FTC) has issued its first enforcement orders concerning misrepresentations about participation in the EU-U.S. Privacy Shield Framework. In three separate actions, the FTC found that the companies had falsely claimed to be compliant with the Privacy Shield Framework, and has issued orders with proposed settlements that prohibit misrepresentations about compliance with any privacy or security program sponsored by a government or a self-regulatory or standard-setting group. The FTC is accepting comments about the settlements until October 20, 2017.
These are the first enforcement cases brought by the FTC concerning participation by U.S. companies in the Privacy Shield Framework, which was negotiated by the Department of Commerce and EU representatives in 2016 as a replacement for the EU-U.S. Safe Harbor Framework. The Safe Harbor Framework was invalidated by the EU Court of Justice in 2015. The Privacy Shield Framework imposes enforcement authority upon the Department of Commerce (DOC) and the FTC, and includes the obligation to engage in more robust monitoring and enforcement.
In its press release, the FTC drew attention to the fact that besides being the first FTC actions brought to enforce the Privacy Shield Framework, these actions are also a departure from prior enforcement actions concerning U.S. companies’ participation in the Safe Harbor Framework. Those actions challenged companies who had self-certified from failing to annually renew their self-certification. The three Privacy Shield Framework enforcement actions took issue with the fact that these companies had all started the self-certification process, failed to complete it, but falsely claimed to be compliant with the Privacy Shield Framework in their respective privacy policies.
These enforcement actions send two messages: First, that companies that begin the self-certification process should complete it – and if contacted by the FTC or DOC about an incomplete application, either complete it post haste, or remove any false claims in public-facing documents.
And second, that the FTC plans to be proactive in its enforcement activity, so as to limit the risk of EU claims that it is not complying with its obligations under the Privacy Shield Framework.