FTC Finalizes Settlement with Data Center Over Privacy Shield Allegations

Privacy

Written By ESR News Blog Editor Thomas Ahearn

On October 28, 2020, the Federal Trade Commission (FTC) – a government agency that is America’s primary privacy and data security enforcer – finalized a settlement with a data storage services company that allegedly deceived consumers about its participation in the EU-U.S. Privacy Shield framework that allows participants to transfer data from the European Union (EU) to the United States (U.S.), according to an FTC press release.

The FTC alleged that the data storage services company claimed in its online privacy policy and marketing materials that the company participated in the EU-U.S. Privacy Shield framework and complied with the program’s requirements. In fact, the FTC alleged, the company’s certification lapsed in January 2018 and it failed to comply with certain Privacy Shield requirements while it was a participant in the framework.

Under the settlement, the company is prohibited from misrepresenting its compliance with or participation in the Privacy Shield framework and any other privacy or data security program or self-regulatory or standard-setting organization. The company must continue to apply the Privacy Shield requirements or equivalent protections to personal information collected while participating in the framework or return or delete the information.

Although the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield framework in July 2020, that decision does not affect the validity of the FTC’s decision and order relating to the data center company’s misrepresentations about its participation in and compliance with the framework. The framework allowed participants to transfer data legally from the European Union to the United States.

“The Federal Trade Commission remains committed to enforcing the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield programs, and the order we approve today is consistent with that commitment,” Chairman Joseph J. Simons and Commissioners Noah Joshua Phillips and AND Christine S. Wilson wrote in the Majority Statement in the matter. Commissioner Rohit Chopra wrote the Dissenting Statement in the matter.

A blog posted on the FTC website in June 2016 about the proposed settlement titled “FTC settlement focuses on those other Privacy Shield Framework requirements” claimed that the enforcement actions of the FTC sent “an important compliance message for companies that claim participation in the EU-U.S. Privacy Shield framework” that “they must keep their certification current and they must live up to what the Framework requires.”

The U.S. Department of Commerce administers the EU-U.S. Privacy Shield frameworks while the FTC enforces the promises companies make when joining the program. In 2019, the FTC settled cases with a company in July, five companies in September, a company in November, and four companies in December. In 2020, the FTC settled cases with five companies in January, four companies in February, and a company in March.

The EU-U.S. Privacy Shield Framework – which officially launched on August 1, 2016 – replaced a previous international agreement called “Safe Harbor” that was invalidated by a European Court of Justice ruling on October 6, 2015. The framework includes seven commonly recognized privacy principles combined with 16 supplemental principles. To learn more about the Privacy Shield, visit www.privacyshield.gov.

Organizations must self-certify to the International Trade Administration (ITA) annually their adherence to the Frameworks. Employment Screening Resources® (ESR) was one of the first adopters of EU-U.S. Privacy Shield Framework with an original certification date of August 12, 2016, less than two weeks after it officially launched. ESR’s active participant page on the list of certified companies is available here.

Employment Screening Resources® (ESR) – a leading global background check provider with capabilities in more than 240 countries and territories – received notification from the ITA that its annual submission for self-certification of adherence to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks had been finalized and was effective as of September 10, 2020. To learn more about ESR, visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2020 Employment Screening Resources® (ESR) – Making copies of or using any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.