eDiscovery Daily Blog

FTC Cracks Down on Privacy Shield Posers: Data Privacy Trends

Did you ever wonder what happens if a company falsely claims that they are certified compliant with either the EU-U.S. or Swiss-U.S. Privacy Shield framework?  Or falsely claims that they are in the process of being certified compliant?  Apparently, the Federal Trade Commission (FTC) gets on their case about it.

According to ACEDS (California Company Settles FTC Charges Related to Privacy Shield Participation), ReadyTech Corporation, a California company, has agreed to settle Federal Trade Commission allegations that it falsely claimed it was in the process of being certified as complying with the EU-U.S. Privacy Shield framework, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law (we covered details of the framework when it was introduced over two years ago).

“Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield,” FTC Chairman Joe Simons commented. “We believe Privacy Shield is a critical tool for ensuring transatlantic data flows and protecting privacy that benefits both companies and consumers.”

According to the FTC’s complaint, the Commission alleges that ReadyTech, which provides online training services, falsely claimed on its website that it is “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” While ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield framework. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.

The FTC alleges in its complaint that the company’s false claim that it is in the process of certification violates the FTC Act’s prohibition against deceptive acts or practices.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing Privacy Shield. It continues the FTC’s commitment to enforcing international privacy frameworks, making a total of 47 cases enforcing the Privacy Shield, the predecessor Safe Harbor framework, and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework.

As you may or may not know, CloudNine is certified for both the EU-U.S. and EU-Swiss Privacy Shield Frameworks (so, yes, at CloudNine we are “certifiable”).  :o)  Periodically, you have to recertify – in fact, I just completed the recertification process for CloudNine a while back.  It’s good to know that somebody is checking up on companies to make sure that their claims of being privacy shield compliant are valid.

So, what do you think?  Is your organization privacy shield certified?  Are your providers certified?  Please share any comments you might have or if you’d like to know more about a particular topic.

P.S. — Happy Birthday, Kiley!  You’re now officially a teenager!  😮

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.