February 27, 2020

February 27, 2020

Subscribe to Latest Legal News and Analysis

February 26, 2020

Subscribe to Latest Legal News and Analysis

February 25, 2020

Subscribe to Latest Legal News and Analysis

More FTC Privacy Shield Settlements, But Will It Be Enough For The EU?

Just days before the EU Commission reassesses the EU-US Privacy Shield program in light of the EU Parliament’s recent adequacy criticisms, the Federal Trade Commission (FTC) announced settlements with four companies allegedly falsely claiming participation in the program.  One of the issues the EU Parliament cited this summer with the EU-US Privacy Shield program was lack of US oversight and enforcement.

The FTC has oversight authority for the EU-US Privacy Shield program, which is a voluntary certification process that allows companies to transfer consumer data from the EU to the US in compliance with EU law.  Currently, more than 3,000 US companies participate in the program.  The FTC reports that it brought four separate administrative complaints alleging that each company falsely claimed to be certified.  One company never completed the certification process and the other three allowed their certifications to lapse.  The websites of all four companies contained statements that they complied with or participated in the EU-US Privacy Shield program.

The proposed settlements prohibit each company “from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization” and require that each company comply with FTC reporting requirements.  Two of the companies must also apply all EU-US Privacy Shield protections to data collected when they participated in the program, or must return or delete the information.  The FTC will issue copies of the consent orders in the Federal Register soon.  They will be subject to public comment for 30 days and then the FTC commissioners will decide whether to finalize the consent orders.

According to the FTC, it has now brought eight enforcement actions against companies related to the EU-US Privacy Shield program.  The question for the EU Commission’s consideration is whether the recent enforcement actions constitute adequate oversight by the US over the program’s two-year history.

© Copyright 2020 Murtha Cullina


About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...