Privacy Shield Framework

Written By ESR News Blog Editor Thomas Ahearn

On September 27, 2018, the Federal Trade Commission (FTC) announced that four companies agreed to settle allegations that they falsely claimed certification under the EU-U.S. Privacy Shield Framework and that two of these companies failed to abide by a key framework provision, according to an FTC press release.

“Companies need to know that if they fail to honor their Privacy Shield commitments, or falsely claim participation in the Privacy Shield framework, we will hold them accountable,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, stated in the press release about the settlements.

In four separate complaints (1, 2, 3 & 4), the FTC alleged that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union (EU) countries to the United States (U.S.) in compliance with EU law.

Three of the companies obtained Privacy Shield certification but allowed their certifications to lapse and still stated on their websites that they participated in the Privacy Shield. Two companies failed to affirm to the Department of Commerce that they would apply the Privacy Shield protections to personal information.

As part of the proposed settlements with the FTC, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.

In July 2018, a company agreed to settle FTC charges of falsely claiming to comply with the EU-U.S. Privacy Shield after stating on its website that it was “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” The company had initiated an application but did not complete all the steps.

In September 2017, three companies agreed to settle FTC charges that they misled consumers about their participation in the EU-U.S. Privacy Shield. In separate complaints, the FTC alleged the companies violated the FTC Act by falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield.

Although the decision to join the Privacy Shield Framework is voluntary, the public commitment by an organization to comply with Privacy Shield Principles through self-certification is enforceable under U.S. law by either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT).

The EU-U.S. Privacy Shield Framework – which officially launched on August 1, 2016 – replaced a previous international agreement called “Safe Harbor” that was invalidated by a European Court of Justice ruling on October 6, 2015. The official Privacy Shield Framework website is available at

The Privacy Shield Framework includes seven commonly recognized privacy principles combined with 16 equally binding supplemental principles that explain and augment the first seven principles. The combined 23 Privacy Shield Principles are available at

ESR Completes Annual Privacy Shield Re-Certification for 2018

Employment Screening Resources® (ESR) has received notification from the U.S. Department of Commerce’s International Trade Administration (ITA) that ESR’s annual submission for its self-certification of adherence to the Privacy Shield Framework has been finalized and is effective as of September 26, 2018.

Organizations must self-certify to the ITA annually their adherence to Privacy Shield in order to remain on the Privacy Shield List. ESR was one of the first adopters of Privacy Shield with an original certification date of August 12, 2016, less than two weeks after the official launch date. To learn more, visit

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2018 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.

1 Comment

Comments are closed.