Skip to main content

A proposed FTC settlement with California-based employee training company ReadyTech Corporation reminds businesses that if you make claims about EU-U.S. Privacy Shield participation, you have an obligation to live up to those promises. The case also serves as further confirmation of the FTC’s commitment to the framework.

Privacy Shield gives companies a way to transfer personal data from the EU to the United States, consistent with EU data protection requirements. To participate in Privacy Shield (or the corresponding Swiss-U.S. Framework), companies must apply to the U.S. Department of Commerce and follow the program’s self-certification requirements. Participation is voluntary, but a company’s representations about Privacy Shield compliance must be true.

Here’s what ReadyTech said in its Privacy Policy:

ReadyTech is in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.

But according to the FTC, although ReadyTech began the Privacy Shield application process in October 2016, it didn’t follow through with the necessary steps. Thus, the FTC alleged that ReadyTech’s statement in its Privacy Policy was false or misleading.

To settle the case, the company has agreed not to misrepresent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group, or a standard-setting organization. The FTC is accepting comments about the proposed settlement until August 1, 2018.

What does the case mean for your company?

Deceptive claims about Privacy Shield participation are actionable under the FTC Act. Like any other objective representation, companies must have a reasonable basis to support what they say about Privacy Shield. If a business says it complies with the framework, that must be true. If it says it’s “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework,” it must be actively taking the steps necessary to complete the process. Your company doesn’t have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.

Be the in-house Privacy Shield hero. If your company claims to participate in Privacy Shield, but you haven’t finished the process or your certification has lapsed, you have two choices: 1) complete the process; or 2) remove the false statement. To earn Privacy Shield props from your company, implement a simple system to keep your Privacy Shield self-certification current. The Commerce Department’s list of active Privacy Shield participants includes the date by which you must submit your annual self-certification. Mark it on your calendar so you can recertify on time.

Eric Hicks
July 02, 2018
I believe that privacy shield is a great tool to use and is very efficient for the people who use it because it gives the consumers the ability to control their data. With all that being said I do believe it would be beneficial to all parties who participate in these issues to be compensated some kind of reward for their efforts. And for those who go above and beyond to be recognized for their contributions to privacy shield.
Carlos Garcia Ruiz
July 04, 2018

In reply to by Eric Hicks

I think the benefit you claim is to get European customers. And make business with them
Veronika Tonry
November 16, 2018
Privacy Shield could be a great tool, but I am disappointed to see that applications are just stalling for half a year or more with no response to emails or phone calls.

More from the Business Blog

Get Business Blog updates