On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield.
Specifically, the FTC alleged that IDmission, LLC misrepresented participation in the program by claiming certification on its website despite never completing the steps necessary to participate following the company’s October 2017 application. On the other hand, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. each successfully obtained Privacy Shield certification in 2016 but failed to properly renew expired certifications. Therefore, the FTC alleged the three companies misrepresented that they were current participants in the program.
Further, the FTC alleged that SmartStart Employment Screening, Inc. and VenPath, Inc. additionally misrepresented that they adhere to the Privacy Shield Principles by failing to withdraw or affirm the commitment to protect personal information acquired during participation in the program. The Privacy Shield Principles require that if a company ceases to participate, the company must affirm to the U.S. Department of Commerce that it will continue to apply the Privacy Shield Principles to such personal information.
Pursuant to the proposed settlements, both SmartStart Employment Screening, Inc. and VenPath, Inc. must meet continuing obligations under the Privacy Shield by affirming to the Department of Commerce that the companies will apply the Privacy Shield Principles to personal information received during participation in the program or protect the personal information by another method authorized under EU or Swiss law, such as binding corporate rules or standard contractual clauses. Otherwise, the companies must return or delete such personal information within 10 days of the orders becoming effective. All four companies are prohibited from misrepresenting participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization and are subject to FTC compliance reporting, recordkeeping, and monitoring requirements.
According to the director of the FTC’s Bureau of Consumer Protection, these settlements increase the number of Privacy Shield enforcement actions to eight (after settlements with Decusoft, LLC, Tru Communication, and Md7, LLC in September 2017 and with ReadyTech Corporation last July), which evidences the FTC’s intention to continue its aggressive enforcement of cross-border privacy frameworks.
Cross-border data protection continues to be a hot topic following on the heels of last week’s U.S. Senate hearing on baseline comprehensive privacy and data protection law in the United States. Active FTC enforcement of the Privacy Shield is intended to signal to the European Union and other trading blocs the importance the United States places on privacy and data protection. Pragmatically, it remains unclear whether these FTC efforts (focusing on allegedly deceptive statements regarding Privacy Shield adherence) materially improve data protection. However, given the perceived lack of any enforcement activity relating to model contracts enforcement and binding corporate rules adherence, critics of the Privacy Shield program may have little ground to stand on. Overall, all of these developments suggest the continued need to focus on and develop privacy and data protection regulation that emphasizes transparency and accountability.
Reed Smith is actively involved in efforts to foster and encourage trans-Atlantic dialog on these issues. In October, representatives from Reed Smith, The Providence Group, the U.S. Department of Commerce, the Computer Emergency Response Team for EU institutions, bodies, and agencies (CERT-EU), and the Istituto di Informatica e Telematica will engage in a panel discussion at the 40th Annual Conference of Data Protection in Brussels titled, Using Risk Management to Think About Privacy and Trust as a Critical Brand Asset.