Privacy Shield: If You Got It – Flaunt It; If Not – Don’t

One of the EU’s chief complaints against US privacy practices is the lack of enforcement of the EU-U.S. Privacy Shield Framework (Privacy Shield). Last week we saw a US enforcement action that may allay this concern. The US Federal Trade Commission (FTC) is putting companies on notice through Privacy Shield enforcement actions and warning letters.

The FTC announced a settlement with background check provider SecurTest, Inc. (SecurTest) for falsely claiming compliance through self-certification with the U.S. Department of Commerce under the Privacy Shield. The FTC alleged that SecurTest falsely claimed participation in the Privacy Shield on its website.

Companies that are compliant with the Privacy Shield can transfer consumer data from European Union countries and Switzerland to the United States in accordance with EU and Swiss law. SecurTest began the Privacy Shield application process in September 2017 with the U.S. Department of Commerce, but did not complete the necessary steps to become certified. Despite not being certified, they made representations on their website to the contrary. The FTC and SecurTest entered into a settlement, which include spreading awareness to SecurTest stakeholders of their noncompliance, and providing the FTC compliance reports.

The FTC also issued thirteen warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield. While the FTC did not name the recipients of these letters, it is clear that they are taking this misrepresentation seriously.