The U.S. Federal Trade Commission (FTC) announced on 8 September that three U.S. companies have agreed to settle FTC charges that they misled consumers, by falsely claiming they were certified to participate in the Privacy Shield. In separate complaints, the FTC alleges, all three companies failed to complete the certification process for the Shield. As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements. The actions against the three companies are the first cases the FTC has brought to enforce the Shield, which was adopted last July 2016.
The FTC’s consent agreements with the three companies will be subject to public comment for 30 days, before the FTC decides whether to make the proposed consent orders final. Each violation of such an order may then result in a civil penalty of up to $40,654.
The FTC has the power to prohibit misrepresentations, regarding adherence to the Privacy Shield principles or participation in the Shield, through administrative orders or by seeking court orders; violations of those administrative orders can lead to civil penalties of up to $40,654 per violation or $40,654 per day for continuing violations. However, it remains to be seen how pro-active the FTC will be in pursuing U.S. companies for failing to keep their Shield commitments, and whether the actual sanctions imposed by the FTC will be sufficiently rigorous to ensure compliance.
The FTC’s charges demonstrate the importance of EU companies carrying out due diligence on the U.S. companies they transfer data to, to ensure that any companies claiming to be participate in the Shield have officially self-certified. The U.S. Department of Commerce manages the list of companies which have self–certified (available here). To date, almost 2,500 organisations have self-certified as complying with the Privacy Shield, compared with over 4,000 companies which were signed up to the (now invalid) Safe Harbour framework.
The European Commission is conducting its first annual joint review of the Privacy Shield this month. The EU Parliament’s LIBE Committee has already voted in favor of a resolution declaring the Privacy Shield inadequate. Its two main concerns with the regime are: (1) the independence of the Ombudsman set up in the U.S. as a redress system for EU citizens, and (2) the bulk collection of personal data by U.S. authorities for surveillance purposes. Two privacy advocacy groups— Digital Rights Ireland, and the French privacy advocacy group La Quadrature du Net, have also lodged applications in the EU General Court, challenging the Adequacy Decision of the European Commission regarding the Privacy Shield. The groups submit that the adequacy decision is incompatible with the EU Charter of Fundamental Rights and does not provide sufficient protections for EU citizens.