As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which are meant to highlight the importance of the framework and reaffirm the U.S.’s commitment to strong privacy enforcement.
Given the privacy incidents that have made headlines in the U.S. over the past year, the pressure on the U.S. to show the EU it is serious about privacy could not be more intense. Earlier this year, the European Parliament adopted a nonbinding resolution to suspend the EU-U.S. Privacy Shield Framework unless the U.S. takes further steps to show its compliance with its obligations, citing risks to the privacy of EU citizens. In a recent joint statement from EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová and U.S. Secretary of Commerce Wilbur Ross, the senior officials “reaffirm[ed] the need for strong privacy enforcement to protect our citizens and ensure trust in the digital economy.” The statement emphasizes that the Commerce Department (through enforcement by the FTC) “will revoke the certification of companies that do not comply with Privacy Shield’s vigorous data protection requirements.”
Turning to the recent FTC enforcement actions, according to the FTC’s complaints, four companies falsely claimed to be certified under the EU-U.S. Privacy Shield in connection with the transfer of consumer data from EU countries to the U.S. The companies include a cloud-based technology platform vendor, a data analytics firm, an employment and background screening service provider, and a talent management and recruitment firm. According to the FTC, one company claimed on its website that it “complies with the EU-U.S. Privacy [S]hield framework,” but the company purportedly never completed the necessary steps to be certified. Three of the companies each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse and failed to remove statements on their websites that they participated in and complied with the Privacy Shield. Finally, two of the companies’ certifications lapsed and the companies allegedly failed to provide the Department of Commerce with an affirmation that the personal information the companies received while still certified under the Privacy Shield would continue to be treated in accordance with those principles.
The FTC enforcement actions make clear that the FTC has the power to punish false representations of compliance with the Privacy Shield, and the FTC likely has a similar power to enforce deceptive representations of EU General Data Protection Regulation compliance by U.S. companies. The joint statement concluded by noting that “U.S. and EU officials will continue to work closely together to ensure the framework functions as intended, including on commercial and national-security related matters.” The European Commission plans to publish a report before Jan. 1, 2019, containing its findings on the functioning of the Privacy Shield.