FTC Takes First EU-U.S. Privacy Shield Enforcement Actions

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Three companies accused of falsely claiming certification to take part in the European Union-U.S. Privacy Shield reached no-fault settlements with the Federal Trade Commission, the agency announced Sept. 8 in its first Privacy Shield enforcement action.The action comes ahead of the FTC’s upcoming first annual review of the crucial data transfer pact and may serve to reassure EU officials that the U.S. is serious about meeting its privacy obligations under the pact—something critical to ensuring the program’s continuation.

The Privacy Shield is used by nearly 2,400 U.S. companies that certify to the U.S. Commerce Department their compliance with EU-approved privacy principles in order to legally transfer personal data out of the EU. Tens of thousands of EU companies rely on those certifications to transfer data to the U.S. The FTC is in charge of compliance oversight and enforcement.

According to the FTC, human resources software company Decusoft LLC, printing services company Tru Communication Inc., and real estate lease management company Md7 LLC settled allegations that they falsely told consumers that they were certified to participate in a trans-Atlantic data transfer framework. The companies failed to complete the Privacy Shield certification process, and Decusoft also falsely represented that it participated in the parallel Swiss-U.S. Privacy Shield framework, the FTC said.

The consent agreements prohibit the three companies from misrepresenting their compliance with any privacy or data security program, including the Privacy Shield.

Jon Harris, owner of Tru Communication, doing business as TCPrinting.net, told Bloomberg BNA Sept. 8 that for small businesses, the Privacy Shield-certification process can be confusing. “We didn’t know what we were getting into,” he said.

The FTC, Decusoft, and Md7 didn’t immediately return Bloomberg BNA’s email requests for comments.

Because the Privacy Shield is a self-certifying program, having the FTC take enforcement actions “is critical for the framework to work,” Justin Antonipillai, CEO of data privacy management company WireWheel.io, told Bloomberg BNA Sept. 8. The action demonstrates the agency’s commitment to “real enforcement,” Antonipillai, who as the former acting undersecretary at Commerce lead the U.S. team that negotiated the Privacy Shield agreement, said.

EU Privacy Concerns

Liisa M. Thomas, partner and chair of privacy and data security practice at Winston & Strawn LLP in Chicago and London, told Bloomberg BNA Sept. 8 that the timing of the FTC’s announcement before the Privacy Shield annual review “is likely not a coincidence.”

The Privacy Shield was adopted in 2016 as a replacement for the U.S.-EU Safe Harbor data transfer program. The EU’s highest court invalidated Safe Harbor, finding that it didn’t adequately protect the privacy of data of EU citizens transferred to the U.S. The annual review process for the Privacy Shield grew out of such concerns.

The first review of the Privacy Shield is scheduled to begin Sept. 18 in Washington in meetings between an EU delegation led by the European Commission, the EU’s executive arm, and U.S. officials.

Despite assurances from officials on both sides of the Atlantic that they are committed to the Privacy Shield, some EU lawmakers have said it is unclear whether the Trump administration will stand by commitments the Obama administration made to limit government surveillance and acknowledge protections for EU citizens.

Norma M. Krayem, senior policy adviser at Holland & Knight LLP in Washington and co-chair of the firm’s cybersecurity and privacy team, told Bloomberg BNA Sept. 8 that companies need to understand that the Privacy Shield has “real requirements that have both teeth and must be demonstrable to spot checks and audits.”

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the FTC's announcement is available at http://src.bna.com/snI.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security