A proposed FTC settlement with California-based employee training company ReadyTech Corporation reminds businesses that if you make claims about EU-U.S. Privacy Shield participation, you have an obligation to live up to those promises. The case also serves as further confirmation of the FTC’s commitment to the framework.
Privacy Shield gives companies a way to transfer personal data from the EU to the United States, consistent with EU data protection requirements. To participate in Privacy Shield (or the corresponding Swiss-U.S. Framework), companies must apply to the U.S. Department of Commerce and follow the program’s self-certification requirements. Participation is voluntary, but a company’s representations about Privacy Shield compliance must be true.
Here’s what ReadyTech said in its Privacy Policy:
ReadyTech is in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.
But according to the FTC, although ReadyTech began the Privacy Shield application process in October 2016, it didn’t follow through with the necessary steps. Thus, the FTC alleged that ReadyTech’s statement in its Privacy Policy was false or misleading.
To settle the case, the company has agreed not to misrepresent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group, or a standard-setting organization. The FTC is accepting comments about the proposed settlement until August 1, 2018.
What does the case mean for your company?
Deceptive claims about Privacy Shield participation are actionable under the FTC Act. Like any other objective representation, companies must have a reasonable basis to support what they say about Privacy Shield. If a business says it complies with the framework, that must be true. If it says it’s “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework,” it must be actively taking the steps necessary to complete the process. Your company doesn’t have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.
Be the in-house Privacy Shield hero. If your company claims to participate in Privacy Shield, but you haven’t finished the process or your certification has lapsed, you have two choices: 1) complete the process; or 2) remove the false statement. To earn Privacy Shield props from your company, implement a simple system to keep your Privacy Shield self-certification current. The Commerce Department’s list of active Privacy Shield participants includes the date by which you must submit your annual self-certification. Mark it on your calendar so you can recertify on time.
In reply to I believe that privacy shield by Eric Hicks