August 3, 2021

Volume XI, Number 215

Advertisement

August 02, 2021

Subscribe to Latest Legal News and Analysis

FTC Finalizes Settlement with Service Provider over Alleged Privacy Shield Misrepresentations

The EU-U.S. Privacy Shield Framework, which provided a mechanism to legally transfer personal information from the EU to the United States, was invalidated on July 16, 2020, but the Federal Trade Commission (FTC) has made it clear that companies that claimed to be participants must still make good on their word. A case in point is the FTC’s recent settlement with NTT Global Data Centers Americas, Inc. (NTT) over charges that the company misrepresented its participation in the EU-U.S. Privacy Shield Framework after its certification had lapsed in January 2018. Businesses that transfer personal information from the EU to the United States rely on representations by service providers such as NTT that they comply with established privacy principles and that an approved adequacy mechanism is in place to facilitate such transfers.

The settlement terms bar NTT from misrepresenting in any way its participation in or adherence to any privacy or data security program. They also require NTT to apply Privacy Shield or equivalent protections to all personal information the company collected during its membership in the framework or return or delete that information. The FTC has taken similar action against other companies over the years, and this decision reaffirms the importance of ensuring that claims about participation in the Privacy Shield, or any other privacy program, are made only when an application has been approved and a certification is current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.

The Commission vote to finalize the settlement with NTT was 3-1-1. Commissioner Rebecca Kelly Slaughter did not take part, and Commissioner Rohit Chopra voted no and issued a statement in which he pressed the Commission to impose monetary fines on companies that mislead consumers about their participation in privacy programs.

Whether the FTC imposes heavier sanctions down the road or not, damage to reputation can cost a company dearly. The FTC’s settlement with NTT is also a reminder of the importance of “trust but verify.” The U.S. Department of Commerce’s Privacy Shield list provides a way to double check that an organization’s representations about compliance are true. The vast majority of Privacy Shield participants take their obligations seriously. The FTC’s focus on the few organizations that do not remain current in their Privacy Shield commitments enhances the reliability of the Privacy Shield even as discussions continue on possible alternative adequacy mechanisms to address data transfers from the EU to the United States.

© 2021 Keller and Heckman LLPNational Law Review, Volume X, Number 337
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

202-434-4234
Advertisement
Advertisement