July 10, 2020

Volume X, Number 192

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

Keep Privacy Shield Certification on the Radar Screen

After all of the General Data Protection Regulation (GDPR) compliance assessments, implementation and hullaballoo in the last year or so, many companies chose to certify that they are compliant with the EU-U.S. Privacy Shield framework rather than implementing a full-blown GDPR compliance program.

To attain Privacy Shield certification, companies must submit an application and certify that when consumer data is transferred from the EU to a U.S. company, the transfer has been done in compliance with EU law. Once a company obtains Privacy Shield certification, it can present itself as being compliant on its website and to the public. However, sometimes companies don’t know that they have to update their certification on an annual basis in order to continue hold themselves up as being Privacy Shield certified.

The Federal Trade Commission (FTC) is the enforcer for Privacy Shield certification. The FTC has publicly stated that it monitors company websites to determine whether they have kept their certification current. If a company misrepresents itself as being compliant with Privacy Shield certification, the FTC can commence an enforcement action against the company for falsely claiming Privacy Shield Certification.

On September 3, 2019, the FTC announced that it has settled with five different companies on allegations that “they falsely claimed participation in the EU-U.S. Privacy Shield.” According to the FTC press release, the FTC alleged that four companies – DCR Workforce, Inc., Thru, Inc., LotaData, Inc. and 214 Technologies, Inc. – “all falsely claimed in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework” because they each submitted an application for Privacy Shield certification, but “failed to complete the necessary steps to obtain certification.”

The FTC also settled with EmpiriStat, Inc., which it alleged “falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse in 2018.”

The settlements require the companies stop misrepresenting participation in any privacy or data security program sponsored by the government, and they must comply with FTC reporting requirements.

Lessons learned?

1) Don’t hold yourself up as being Privacy Shield certified if you haven’t submitted an application, and completed the necessary steps to obtain certification; and

2) Be mindful of the continual certification requirements and don’t let the certification lapse.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 248


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...