Federal Trade Commission enforcing E.U. – U.S. Privacy Shield
A proposed FTC settlement with California-based employee training company ReadyTech Corporation reminds businesses that if make claims about EU-U.S. Privacy Shield participation, there is an obligation to live up to those promises.
The case and settlement confirms the FTC’s commitment to the framework. Privacy Shield gives companies a way to transfer personal data from the EU to the United States, consistent with EU data protection requirements. To participate in Privacy Shield (or the corresponding Swiss-U.S. Framework), companies must apply to the U.S. Department of Commerce and follow the program’s self-certification requirements.
ReadyTech said in its Privacy Policy: “ReadyTech is in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” According to the FTC, although ReadyTech began the Privacy Shield application process in October 2016, it didn’t follow through with the necessary steps.
The FTC alleged that ReadyTech’s statement in its Privacy Policy was false or misleading. To settle the case, the company has agreed not to misrepresent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group, or a standard-setting organization. The FTC is accepting comments about the proposed settlement until August 1, 2018.
Deceptive claims about Privacy Shield participation are actionable under the FTC Act. If it says it’s “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework,” it must be actively taking the steps necessary to complete the process.
If a company claims to participate in Privacy Shield, but has not finished the process or the certification has lapsed, there are two choices: 1) complete the process; or 2) remove the false statement.
Contributed by Magdalena A K Muir
Sources:
In the Matter of ReadyTech Corporation, a corporation. FTC Matter/File Number: 182 3100 https://www.ftc.gov/
Agreement Containing Consent Order (20.8 KB)
Analysis of Proposed Consent Order to Aid Public Comment (38.75 KB)
https://www.ftc.gov/