ARTICLE
18 January 2019

A Look Back At 2018 Privacy Shield Enforcement

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program.
European Union Privacy

Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide "adequate levels of privacy protection." In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.

This last point was a particular concern for both the EU the US Department of Commerce when the program was put in place was the possibility of companies saying that they participated in the program when, in fact, they did not. Illustrating enforcement efforts in this area, in July, the FTC brought action against ReadyTech an online training company, for saying that "it was in the process of certifying" compliance with the program when in fact, although the application was filed with the Department of Commerce, the company did not take the remaining steps needed to participate. The settlement with ReadyTech was finalized in October. In four similar cases, the FTC alleged that IDmission, mResource, SmartStart Employment Screening, and VenPath also each stated incorrectly that they were certified under the program. IDmission, however, like ReadyTech, had started but not completed the certification process. mResource, SmartStart and VenPath had been certified previously, but their certifications had lapsed.

Putting it Into Practice: The EU will be reviewing Privacy Shield's sufficiency again at the end of 2019. In anticipation of this review we expect to see ongoing enforcement from the FTC, in particular for companies whose policies state they are participating in the program when they have not been certified, or their certifications have lapsed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More