FTC Finalizes Privacy Shield Settlement Over Allegations about Participation

Privacy Shield

Written By ESR News Blog Editor Thomas Ahearn

On July 13, 2020, the Federal Trade Commission (FTC) – a government agency that protects consumers and promotes competition – finalized a settlement with a medical diagnostic devices and services company over allegations the firm misled consumers about its participation in the EU-U.S. Privacy Shield Framework.

The FTC claimed the New Jersey-based company claimed it participated in the Privacy Shield that establishes a process to allow companies to transfer consumer data from European Union (EU) countries to the United States (U.S.) in compliance with EU law even though the company had allowed its certification to lapse in 2018.

As part of the settlement with the FTC, the company is prohibited from misrepresenting its participation in the Privacy Shield Framework and is required to comply with the continuing obligation under the program to protect personal information it collected while participating in the program, or to return or delete the information.

The FTC enforces the Privacy Shield program. In 2019, the FTC settled cases with a company in July, five companies in September, a company in November, and four companies in December. In 2020, the FTC settled cases with five companies in January, four companies in February, a company in March., and a company in June.

The EU-U.S. Privacy Shield Framework – which officially launched on August 1, 2016 – replaced a previous international agreement called “Safe Harbor” that was invalidated by a European Court of Justice ruling on October 6, 2015. To learn more about the Privacy Shield Framework, visit www.privacyshield.gov.

On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a decision that invalidated the EU-U.S. Privacy Shield Framework and opened the door for the possible suspension of data transfers from the European Union to the United States based on the Standard Contractual Clauses (SCCs), a CJEU press release stated.

While the CJEU upheld the validity of the SCCs as a data transfer mechanism, the Court ruled that EU data protection regulators may suspend transfers of personal data from the EU to a third country, such as the U.S., after determining that the third country’s laws undercut SCCs protections for personal data.

“While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts,” U.S. Secretary of Commerce Wilbur Ross said in a statement.

The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. The CJEU ruling does not relieve participating organizations of their obligations.

Organizations must self-certify to the International Trade Administration (ITA) annually their adherence to the Frameworks. Employment Screening Resources® (ESR) was one of the first adopters of EU-U.S. Privacy Shield Framework with an original certification date of August 12, 2016, less than two weeks after it launched.

Employment Screening Resources® (ESR) – a leading global background check provider – is an active participant in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and completed its most recent annual self certification of adherence in September 2019. To learn more about ESR, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2020 Employment Screening Resources® (ESR) – Making copies of or using any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.