Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program. One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement.
The FTC has oversight authority for the EU-US Privacy Shield program, which is a voluntary certification process that allows companies to transfer consumer data from the EU to the US in compliance with EU law. Currently, more than 3,000 US companies participate in the program. The FTC reports that it brought four separate administrative complaints alleging that each company falsely claimed to be certified. One company never completed the certification process and the other three allowed their certifications to lapse. The websites of all four companies contained statements that they complied with or participated in the EU-US Privacy Shield program.
The proposed settlements prohibit each company “from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization” and require that each company comply with FTC reporting requirements. Two of the companies must also apply all EU-US Privacy Shield protections to data collected when they participated in the program, or must return or delete the information. The FTC will issue copies of the consent orders in the Federal Register soon. They will be subject to public comment for 30 days and then the FTC commissioners will decide whether to finalize the consent orders.
According to the FTC, it has now brought eight enforcement actions against companies related to the EU-US Privacy Shield program. The question for the EU Commission’s consideration is whether the recent enforcement actions constitute adequate oversight by the US over the program’s two-year history.