Claiming Privacy Shield Participation on Your Website? Lessons from the FTC’s First Privacy Shield Enforcement Action

The Federal Trade Commission recently announced settlements with Decusoft, LLC, Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, resolving allegations that the companies misrepresented their participation in the E.U.-US and Swiss-US Privacy Shield. The announcement comes just before the first Privacy Shield annual review (scheduled for September 2017) and marks the FTC’s first enforcement action related to Privacy Shield. This post provides a brief overview of the Privacy Shield framework, notable facts from the enforcement action, and key takeaways for companies.

Privacy Shield. The E.U.-US and Swiss-US Privacy Shield frameworks are an alternative transfer mechanism for companies to transfer E.U. and Swiss individual data to the United States in compliance with E.U. and Swiss data protection requirements. To participate in either framework, a company must self-certify to the Department of Commerce (“Commerce") that it adheres to the Privacy Shield Principles. The FTC enforces compliance with the Privacy Shield framework under its Section 5 deception authority, and companies who misrepresent their Privacy Shield participation run the risk of an FTC enforcement action.

Charges and Settlement. All three companies claimed, in their respective online privacy policies and statements, that they were Privacy Shield framework participants. These representations were either express or by implication. Notably, in the case of TCPrinting.net, the company’s privacy policy stated that it would “remain compliant and current with Privacy Shield at all times.” Contrary to these claims, none of the three companies completed the steps necessary to participate in the Privacy Shield framework. The FTC settlement prohibits the companies from misrepresenting the extent to which they participate in any privacy or data security program and imposes FTC reporting requirements for a 20-year period.

Key Takeaways. Since 2009, the FTC has settled 36 cases involving claims of Safe Harbor participation, three cases involving alleged violations of Safe Harbor Privacy Principles, and four cases involving claims of participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. As noted in the chart below, the FTC has been active in enforcing cross border privacy frameworks, and companies should expect this trend to continue. As part of the Privacy Shield negotiations, the FTC committed to give priority to Privacy Shield non-compliance referrals received from EU Member States, Commerce, and privacy self-regulatory organizations and other independent dispute resolution bodies. With the first Privacy Shield annual review forthcoming, these enforcement actions affirm that commitment.

Year FTC Enforcement Actions and Warning Letters
2009-2013 -10 Companies Settle Safe Harbor Charges
2014 -14 Companies Settle Safe Harbor Charges
2015 -15 Companies Settle Safe Harbor Charges
2016 -1 Company Settles APEC CBPR Charges -FTC Issues Warning Letters to 28 Companies Regarding APEC CBPR Participation
2017 -3 Companies Settle APEC CBPR Charges -3 Companies Settle Privacy Shield Charges
In light of this activity, companies should review their privacy policies and similar statements to ensure that claims about participation in or compliance with self-regulatory or governmental privacy related programs are up to date and accurate.