FTC Could Police U.S. Companies’ Promises on EU Data Privacy Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Companies that updated their privacy policies to give U.S. consumers some protections under the European Union’s new regime may have to deal with data security regulators on both sides of the Atlantic.

Many companies that collect and use consumer data changed their policies to comply with the EU’s General Data Protection Regulation, which took effect May 25. Microsoft Corp. and Facebook Inc., for example, decided to provide some of the GDPR’s protections, including increased data use transparency, clear and concise consent policies, and easier access to privacy tools, to their customers.

Those moves may trigger unintended consequences for companies that fail to live up to newly promised protections—scrutiny from the Federal Trade Commission as well as EU data protection regulators.

“If a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices,” they must live up to those commitments, FTC spokeswoman Juliana Gruenwald Henderson told Bloomberg Law. In appropriate situations, “the FTC could initiate an enforcement action if the company does not comply with” the EU data protection promises for U.S. customers.

The possibility reflects the FTC’s reach in enforcing U.S. companies’ privacy policy promises. U.S. companies that promise EU-level privacy protections to U.S. customers will have to think twice about not living up to their pledges.

“If the company claims that it is compliant with EU law, it better be right, because the FTC will be looking for companies that are non-compliant but say otherwise,” David Vladeck, former director of the FTC’s bureau of competition under President Barack Obama from 2009-2012, told Bloomberg Law.

The FTC has brought actions against companies that didn’t live up to EU privacy and data transfer promises.

“There is no surprise in what the FTC has announced,” said Vladeck, currently faculty director of Georgetown Law’s Center on Privacy and Technology, told Bloomberg Law.

The agency brought enforcement actions against companies that claimed they were in compliance with the now-invalidated U.S.-EU Safe Harbor data transfer framework, Vladeck said. Similar actions were brought against companies that inaccurately touted compliance with the EU-U.S. Privacy Shield data transfer framework, he said.

Voluntary Compliance

Some in the tech sector believe that applying GDPR-style privacy protections for their customers will boost consumer trust and provide extra layers of security.

Facebook is offering European privacy protections to many users around the world, a company spokesperson confirmed to Bloomberg Law.

The social media giant saw GDPR as an opportunity to go beyond obligation and improve users’ privacy.

Microsoft didn’t immediately respond to Bloomberg Law’s email request for comment.

Know Your Risks

Privacy lawyers said U.S. companies are taking a risk if they blindly adopt GDPR-like privacy policies.

“Statements about adherence to the GDPR are representations to the consumer” and are likely material enough to launch an agency investigation, Chris Hoofnagle, faculty director at the Berkeley Center for Law & Technology, told Bloomberg Law.

Company promises of GDPR-style protections to their customers may invite FTC scrutiny, Katherine Armstrong, information privacy counsel at DrinkerBiddle in Washington, told Bloomberg Law.

“If a company represents that it complies with GDPR, that is an express representation that is either true or false,” said Armstrong, previously an adviser to Republican-appointed FTC Chair Janet Steiger. The agency may bring enforcement actions “based on deception if an entity claims to be GDPR compliant and was not,” she said.

The FTC “will be looking at what sort of claims companies are making about their GDPR compliance,” Armstrong said.

Request Bloomberg Law: Privacy & Data Security