FTC Steps up Enforcement Against False Claims of Participation in the EU-U.S. Privacy Shield and Other International Privacy Frameworks

01 July 2019 Privacy, Cybersecurity & Technology Law Perspectives Blog
Authors: Samuel D. Goldstick

Nearly three years ago, the EU-U.S. and Swiss-U.S. Privacy Shield frameworks replaced the U.S.-EU and U.S.-Swiss Safe Harbor programs as a self-certification mechanism to transfer personal data from the European Union and Switzerland, respectively. Although participation is completely voluntary and organizations are free to use other lawful methods to transfer data from the European Union and Switzerland (such as the Standard Contractual Clauses published by the European Commission), the U.S. Federal Trade Commission (“FTC”) can take action under Section 5 of the FTC Act when companies make deceptive claims about their privacy and data security practices, including their participation in international privacy programs, such as the Privacy Shield frameworks. Recently, it appears that the FTC has increased monitoring companies’ claims regarding participation in these regimes and is taking action against those that misrepresent their compliance with such programs.

Recently, the FTC reached a settlement with a background check company, SecurTest, Inc. (“SecurTest”), over allegations that the company violated Section 5 of the FTC Act when it claimed in its privacy notice to consumers that it participated in the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and that it had “certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles.” According to the FTC’s complaint, SecurTest applied to the Department of Commerce to participate in both frameworks but never completed the process, and therefore the claim in its privacy notice of participation in the Privacy Shield frameworks was false. Under the settlement terms, SecurTest must (1) refrain from misrepresenting its participation in either Privacy Shield framework or any other privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization, (2) spread awareness to its stakeholders of the company’s noncompliance and (3) submit to ongoing compliance monitoring and recordkeeping requirements.

The FTC also issued warning letters to more than a dozen unnamed companies for misrepresenting their participation in the U.S.-EU and U.S.-Swiss Safe Harbor frameworks, which were invalidated in October 2015 and any self-certifications under those programs have expired. In addition, the FTC sent warning letters to two companies for falsely claiming to participate in the Asia-Pacific Economy Cooperation Cross-Border Privacy Rules (“APEC CBPR”) system, a voluntary but enforceable framework designed to protect consumer data traveling between APEC-member countries.

The FTC requested that the these companies remove from their websites, privacy policies or public documents any statements claiming participation in either of the Safe Harbor programs, and requested that the two companies either (1) remove from their websites, privacy policies, or other public documents any statements that might be construed as claiming participation or involvement in the APEC CBPR system or (2) prove that they had undergone the requisite review and certification. If the companies fail to take action within 30 days, the FTC warned that it would take appropriate legal action.

Privacy policies claiming compliance with invalidated or updated programs or laws clearly present a red flag to regulators. In this most recent instance, the FTC continued its trend of aggressively policing companies that falsely claim to be Privacy Shield compliant and that misrepresent their participation in other transborder programs. Companies that continue to represent to the public their participation in these programs after failing to complete certification or recertification run the risk of FTC enforcement.

These recent enforcement action and warning letters should serve as a reminder to U.S. companies of the importance of periodically reviewing their privacy policies for accuracy and for any wording that could mislead consumers to avoid potentially costly investigative and enforcement proceedings and to reduce the potential for loss of consumers’ trust. This is especially true when an organization changes direction with respect to how it processes personal information of consumers. Organizations should carefully revise their privacy notices to ensure they are making accurate representations to consumers about the information they collect about them. Similarly, organizations should obtain appropriate consent from consumers prior to collecting new types of information from them or using their information for different purposes that may not have been previously disclosed in the privacy notice. Companies should also avoid making sweeping statements in their privacy notices, such as “we will never share your personal information with any third parties” or “we protect your information in accordance with the highest industry standards,” as these are likely to be misconstrued by consumers and potentially viewed as deceptive by the FTC. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services