FTC Steps Up Privacy Shield Enforcement Actions

FTC Steps Up Privacy Shield Enforcement Actions

Blog WilmerHale Privacy and Cybersecurity Law

This week the FTC announced yet another batch of enforcement actions against companies for misrepresenting their participation in the EU-US and US-Swiss Privacy Shield Frameworks.  Since the beginning of the year, the FTC has settled actions against 12 companies for purported Privacy Shield lapses (see here, here, here, and here).  In addition to these enforcement actions, earlier this year the FTC issued warning letters to 13 companies who still claimed participation in the prior Safe Harbor regime.  The number of settlements and warning letters is greatly outpacing prior years, with this year’s actions exceeding the total number of actions in the two prior years combined.  In 2018, the FTC settled Privacy Shield actions against 5 companies (here and here), and in 2017, the FTC settled 3 such actions.  

What is causing the increase?  The European Union continues to express displeasure with the data transfer pact.  This year as part of the third annual review of Privacy Shield the European Commission called for more enforcement, specifically with respect to the substantive requirements of Privacy Shield, as well as greater transparency into U.S. enforcement actions relating to the Framework.  The FTC has obliged in an effort to show the EU that it is serious about maintaining the Framework.  While there continues to be enforcement actions asserting failure to complete certification or certification lapses, recent cases have alleged more substantive Privacy Shield violations, including failures to annually verify compliance with the Framework and failure to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

These actions are a reminder for the companies that have self-certified to the Privacy Shield Framework that the obligations are ongoing and include annual verification. 

If your organization is self-certified or considering joining Privacy Shield be sure to:

  • Complete all of the self-certification steps.  The Department of Commerce provides a “How-To” guide on the Privacy Shield site.  
  • Ensure privacy policy representations and assertions about Privacy Shield participation remain accurate or are promptly removed if the organization withdraws from the Framework.
  • Annually verify the organization’s Privacy Shield attestations and assertions through self-assessments or outside compliance reviews in accordance with Verification Supplemental Principle.  Don’t forgot the signed verification or attestation statement.
  • And, of course, comply with all the Privacy Shield’s substantive Principles!