California Company Settles with FTC over Alleged Privacy Shield Misrepresentations
If a company claims to be certified under the EU-U.S. Privacy Shield framework when it hasn’t even completed the paperwork, the Federal Trade Commission (FTC) isn’t likely to let it slide. ReadyTech, a California-based online training services company, made such a claim on its website, in violation of the FTC Act’s prohibition against deceptive acts or practices, according to the FTC’s complaint against the company.
The Privacy Shield is one of the approved mechanisms through which U.S. companies can lawfully transfer personal data from the EU to the U.S. in compliance with the EU General Data Protection Regulation (GDPR). ReadyTech stated on its website that it was “in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” However, according to the FTC, while the company initiated the process of self-certifying to the U.S. Department of Commerce in 2016, it was never completed.
As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization. It also must comply with standard reporting and compliance requirements.
This is the FTC’s fourth case enforcing misrepresentations regarding participation in the Privacy Shield since the framework became operational two years ago, and the FTC brought similar enforcement actions under the old U.S.-EU Safe Harbor Framework (the Privacy Shield’s predecessor). The action against ReadyTech serves as a reminder to businesses to not only avoid misrepresenting their participation in privacy and data security frameworks, but also to take steps to ensure more generally that their practices are aligned with their privacy commitments.
The FTC actively enforces privacy and data security violations through its authority under Section 5 of the FTC Act, such as a failure to disclose certain practices in online privacy statements, a failure to follow stated practices, or materially and retroactively changing how personal data is handled without consent from affected consumers. The FTC pays special attention to possible violations of the Privacy Shield. The Privacy Shield, like the Safe Harbor before it, is viewed by businesses as a critical vehicle for companies to comply with cross-border data transfer obligations under EU privacy laws. Because privacy advocates and some regulators continue to criticize the Privacy Shield’s self-regulatory approach for meeting EU requirements, it is especially important that the FTC polices compliance to maintain the integrity of the program.
Companies that operate globally must be mindful of their obligations to meet their privacy commitments to comply with the FTC Act as well as with the new EU GDPR and other international data protection laws.