Agency of Privacy Shield: FTC Expands Enforcement of Privacy Shield Principles
On September 3, 2019, the FTC announced proposed settlements with five companies that falsely claimed to participate in the EU-US Privacy Shield framework (“Privacy Shield”). As in several past enforcement actions, most of the companies falsely claimed they participated in Privacy Shield, when in fact they had never completed the certification process. But unlike past enforcement actions, one case focused on a Privacy Shield participant’s failure to comply with the substantive requirements of the program. That case teaches some important lessons for companies that participate—or are considering participating—in the Privacy Shield.
The FTC’s complaint faulted EmpiriStat for misrepresenting its participation in the Privacy Shield after it allowed its certification to lapse. But it also alleged that EmpiriStat failed to comply with a key substantive requirement of the framework. Specifically, the FTC alleged that Empiristat had failed to comply with Privacy Shield Supplemental Principle 7, which requires Privacy Shield participants to verify, at least once a year, through self-assessment or outside compliance review, that the assertions it makes about its Privacy Shield privacy practices are true and that those privacy practices have been implemented as represented. The Verification Principle also requires the company to document the verification in a statement signed by a corporate officer. The FTC alleged that EmpiriStat failed to provide its attested verification statement to the FTC.
The EmpiriStat settlement is the first case in which the FTC has focused on a business’s compliance with the Verification Principle and could signal a shift in the FTC’s approach to Privacy Shield compliance. Companies participating in Privacy Shield (or those considering certification) should therefore keep the following points in mind:
- Annual Recertification. Applying for recertification is an annual requirement that must be completed before the expiration of a participant’s current annual certification. EmpiriStat began the recertification process but did not take the steps necessary to complete its application for recertification, despite warnings from the FTC. Companies should be mindful that merely starting the recertification application is not sufficient, and that continuing to claim participation in the Privacy Shield despite a lapse in certification will be viewed by the FTC as an actionable misrepresentation.
- Proper Withdrawal. Companies that wish to withdraw from the framework (or those that fail to properly recertify, as was the case for EmpiriStat) must comply with Privacy Shield’s withdrawal To properly withdraw, a company must notify the Department of Commerce of its withdrawal and state whether it will return, delete, or retain the personal information received in reliance on the Privacy Shield. If a company chooses to retain that personal information, it must verify that it will continue to apply the Privacy Shield Principles to the personal information received while participating in the framework and affirm its commitment to do so to the Department of Commerce on an annual basis for as long as it retains the information.
The EmpiriStat case suggests that as Privacy Shield’s validity is challenged in Europe, the FTC is likely to take a deeper look at whether companies are complying with the substantive requirements of the framework. Any company that has certified—or is thinking about certification—should thus ensure they understand in detail what the framework requires.