October 21, 2019

October 18, 2019

Subscribe to Latest Legal News and Analysis

A Look Back at 2018 Privacy Shield Enforcement

Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.

This last point was a particular concern for both the EU the US Department of Commerce when the program was put in place was the possibility of companies saying that they participated in the program when, in fact, they did not.  Illustrating enforcement efforts in this area, in July, the FTC brought action against ReadyTech an online training company, for saying that “it was in the process of certifying” compliance with the program when in fact, although the application was filed with the Department of Commerce, the company did not take the remaining steps needed to participate. The settlement with ReadyTech was finalized in October. In four similar cases, the FTC alleged that IDmissionmResourceSmartStart Employment Screening, and VenPath also each stated incorrectly that they were certified under the program. IDmission, however, like ReadyTech, had started but not completed the certification process. mResource, SmartStart and VenPath had been certified previously, but their certifications had lapsed.

Putting it Into Practice: The EU will be reviewing Privacy Shield’s sufficiency again at the end of 2019. In anticipation of this review, we expect to see ongoing enforcement from the FTC, in particular for companies whose policies state they are participating in the program when they have not been certified, or their certifications have lapsed.


Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...