August 8, 2020

Volume X, Number 221

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

FTC Privacy Shield Settlement Requires Company to Obtain Annual Outside Compliance Review

On June 30, 2020, the Federal Trade Commission (“FTC”) announced it had entered into a consent agreement (the “Proposed Settlement”) with NTT Global Data Centers Americas, Inc. (“NTT”), a successor in interest to RagingWire Data Centers, Inc. (“RagingWire”), to settle allegations in a November 2019 Administrative Complaint that RagingWire misrepresented its participation in and compliance with the EU-U.S. Privacy Shield Framework (“Privacy Shield”), in violation of the FTC Act.

Specifically, the FTC alleged that RagingWire represented that from at least January 2017 to October 2018, it was a current participant in the Privacy Shield, whereas its certification had lapsed from at least January 2018 until approximately June 2019. In addition, the FTC alleged that RagingWire failed to (1) verify its Privacy Shield assertions, (2) comply with the Privacy Shield requirement that it maintain an independent recourse mechanism for the period of approximately October 2017 to June 2018, and (3) comply with continuing obligations under the Privacy Shield.

Notably, the Proposed Settlement provides that for as long as NTT participates in the Privacy Shield, it shall obtain an annual outside compliance review from an independent third-party assessor regarding its Privacy Shield assertions and practices. The independent assessor must be approved by the Associate Director for the Division of Enforcement of the Bureau of Consumer Protection at the FTC. The review is to demonstrate that NTT’s assertions about its Privacy Shield practices are true and that those practices have been implemented as represented and in accordance with the Privacy Shield Principles. The third-party assessor must make its signed statement verifying the review available to the FTC upon request. NTT is further ordered not to misrepresent compliance with or participation in privacy programs, to meet continuing Privacy Shield obligations and to comply with report and notice, recordkeeping and monitoring requirements.

In voting to accept the proposed settlement, the FTC Commissioners’ majority statement noted, “This order is, in fact, more protective of the Privacy Shield Principles than the 14 orders this Commission . . . has approved in prior Privacy Shield cases. Specifically, it requires Respondent to obtain third-party assessments for as long as it participates in Privacy Shield.”

Public comments on the consent agreement must be received by the FTC on or before August 10, 2020.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 197


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct