The Federal Trade Commission (FTC) recently announced a compliance sweep of companies claiming to be in compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield Frameworks. The U.S.-EU Privacy Shield and the U.S.-Swiss Privacy Shield programs enable companies to self-certify that they have adopted a number of data protection practices to bring their businesses in line with European data protection law. Because the U.S. lacks a generally-applicable federal data protection law, and because the standards for data protection in the U.S. are less stringent than those in the EU, the U.S. is considered to be an "inadequate" jurisdiction under European law, and data transfers to the U.S. are generally barred. However, if a company adopts data protection practices consistent with the requirements of European law, it may self-certify compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield with the U.S. Department of Commerce. Adherents to the Privacy Shield frameworks can then represent their data protection practices as "adequate" under EU law, enabling free and legal transfer of personal data regarding EU data subjects to the U.S. under the European Union's General Data Protection Regulation and Swiss Data Protection Act.
The FTC's enforcement sweep resulted in a settlement with SecurTest Inc., a Florida-based background check company, for falsely claiming to be a participant in the U.S.-EU Privacy Shield Program. The complaint alleges that SecurTest included statements in its online privacy policy that indicated that the company was a participant in the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield. However, the FTC alleges that SecurTest never completed the certification process but nevertheless made statements in its website privacy policy indicating that it had done so.
In addition to the enforcement action against SecurTest, the FTC also issued warning letters to 13 companies that claimed to be participants in the long-defunct U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks. The U.S.-EU and U.S.-Swiss Safe Harbor programs were predecessors of the U.S.-EU and U.S.-Swiss Privacy Shield program. The U.S.-EU Safe Harbor program was deemed invalid by the European Court of Justice on Oct. 6, 2015, after Max Schrems, an Austrian privacy activist, brought a complaint against Facebook challenging the adequacy of the protection afforded to European data under the Safe Harbor framework. Following the decision by the European Court of Justice, the Swiss Data Protection Authority determined that the U.S.-Swiss Safe Harbor did not accord adequate protection for data transferred from Switzerland and declared the U.S.-Swiss Safe Harbor to also be invalid. The FTC also sent warning letters to two other companies for falsely claiming to be participants in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules.
The FTC's recent enforcement action and warning letters should serve as a reminder to U.S. companies of the importance of keeping their privacy policies up to date and accurate. In the data protection context, the FTC considers false privacy policy statements to be deceptive acts under the Commission's enforcement authority under Section 5 of the FTC Act, and has brought numerous enforcement actions against companies for false privacy policy statements in the past. Privacy policies claiming compliance with invalidated or updated programs or laws are also an obvious red flag for regulators. The FTC's actions also serve as a reminder that companies should carefully consider all international data transfer options and understand the compliance burdens associated with each. While Binding Corporate Rules, Standard Contractual Clauses and Privacy Shield certification all require companies to adopt significant data protection measures in order to provide EU personal data with an adequate level of protection, self-certification to the Privacy Shield brings with it the risk of scrutiny and potential enforcement actions from U.S. authorities at the Department of Commerce or FTC. Privacy Shield-certified organizations are also required to recertify every year. Companies that continue to represent Privacy Shield participation in their privacy policies after failing to recertify run the risk of FTC enforcement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.