Be a privacy hero at your company (shield included, cape optional)

Want to be your company’s Privacy Shield hero? Four proposed FTC settlements suggest actions you can take to keep your business Privacy Shield-compliant.

The EU-U.S. Privacy Shield framework enables companies to lawfully transfer consumer data from European Union countries to the United States. (There also is a Swiss-U.S. framework.) The Department of Commerce administers both frameworks, while the FTC challenges false or deceptive representations companies make about their participation or compliance.

In separate complaints, the FTC alleges that four companies – Click Labs, Inc., a Seattle-based website and app services provider; Incentive Services, a Minnesota developer of employee award programs; Global Data Vault, a data storage and recovery business in Dallas; and North Carolina IT services company TDARX – made misleading Privacy Shield claims.

The FTC says Click Labs and Incentive Services submitted self-certification applications to the Department of Commerce for both the EU-U.S. and Swiss-U.S. frameworks, but failed to finalize them. Despite that, both companies claimed on their websites to be in compliance.

According to the cases against Global Data Vault and TDARX, although those companies were once EU-U.S. Privacy Shield participants, they allowed their certifications to lapse – meaning that the claims they made in their privacy policies about their status were false. Furthermore, the complaints allege that while they were participants, they failed to perform either the annual self-assessment or outside compliance review verification required of all Privacy Shield participants. What about the data they received during the time they participated? The framework gives former participants three options: Affirm ongoing compliance with Privacy Shield principles for that information, return it, or delete it. The FTC says Global Data Vault and TDARX failed to do any of the three.

The proposed settlements prohibit the companies from misrepresenting their participation in or compliance with the EU-U.S. Privacy Shield framework or any other privacy or data security program sponsored by a government, self-regulatory group, or standard-setting organization. In addition, Global Data Vault and TDARX must either apply the Privacy Shield protections to personal information they collected while participating in the program, return the information, or delete it. Once the settlements appear in the Federal Register, you’ll have 30 days to file a public comment.

How can you help your company avoid a framework failure? Consider these three steps:

1. Framework participation is voluntary, but don’t tout participation until your company’s application has been accepted.
2. Set a reminder on your calendar to complete the required recertification process annually, as well as your annual verification.
3. If your business chooses to withdraw from participation, remove Privacy Shield references from your website, including your privacy policy. Furthermore, think through how your company will appropriately protect – or securely return or delete – information collected while you were a participant.

Visit the FTC’s Privacy Shield page for more resources.