On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the first annual joint review set to begin next week.
FTC Enforcement Actions
According to the FTC’s complaints, the three companies claimed on their websites to have self-certified to the EU-U.S. Privacy Shield Framework – and in one instance, also the Swiss-U.S. Privacy Shield Framework – whereas allegedly they had not completed the certification process.
The Commission’s allegations in these cases did not concern substantive violations of the Privacy Shield Principles; rather, they focused on misrepresentations regarding certification status. This should come as no surprise: in an April 13 blog post, the FTC issued a direct warning that it “will pursue enforcement if companies mislead consumers about their participation in Privacy Shield.”
These enforcement actions are likely to be a topic of conversation during the upcoming first annual joint review of the Privacy Shield Framework, which is scheduled to begin next week and will involve representatives from the U.S. Department of Commerce, the European Commission, the Article 29 Working Party and the FTC. Continue Reading