The FTC’s administrative litigation against NTT Global Data Centers Americas, Inc., just ended with a proposed settlement – and an important compliance message for companies that claim participation in the EU-U.S. Privacy Shield framework.
Administered by the U.S. Department of Commerce, the Privacy Shield Framework enables companies to lawfully transfer consumer data from countries in the European Union to the United States. Participation is voluntary, but if companies choose to participate, the terms of the Framework establish that “effective compliance is compulsory: organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles.” In other words, they must keep their certification current and they must live up to what the Framework requires.
Between January 2017 and October 2018, NTT Global Data Centers (formerly known as RagingWire Data Centers) said in its online privacy policy that it “complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries.” It made similar representations in sales materials. However, the company allowed its certification to lapse in January 2018. Despite two warnings from the Commerce Department, NTT Global Data Centers didn’t revise its privacy policy to change what it said about its Privacy Shield participation.
The FTC has taken law enforcement action against dozens of companies that made false or deceptive representations about Privacy Shield participation and Count 1 of the complaint against NTT Global Data Centers – filed in November 2019 – raised an allegation to that effect. The complaint also alleged three substantive Privacy Shield violations.
One Privacy Shield requirement is that participants annually verify through self-assessment or outside compliance review that what they say about their Privacy Shield practices are true. They also must have a statement signed by a corporate officer or outside reviewer that the assessment or review has been completed. NTT Global Data Centers didn’t undertake that assessment or review. Thus, Count 2 of the complaint alleged that the company’s statements that it complied with Privacy Shield were false.
Count 3 alleged that NTT Global Data Centers claimed to comply with Privacy Shield Principles, and yet the company failed to honor the requirement that it maintain a readily available independent recourse mechanism for consumers for the entire time it was a Privacy Shield participant.
Once companies withdraw from Privacy Shield, what happens to the personal information they collected while they were participants? They have three choices. They must: 1) continue to apply the Privacy Shield Principles to that data; 2) return or delete it; or 3) provide "adequate" protection for the information by another authorized means. Count 4 of the complaint alleges that NTT Global Data Centers failed to affirm to the Commerce Department that it would continue to protect, delete, or return the data it collected under the program.
To settle the case, NTT Global Data Centers has agreed not to make misrepresentations about its membership in any privacy or security program sponsored by a government or a self-regulatory or standard-setting organization. Furthermore, for as long as it participates in Privacy Shield, NTT Global Data Centers must retain a third-party assessor – and not rely on self-assessment – to verify that its claims about its Privacy Shield practices are true. If the company chooses to withdraw from the Framework, it must affirm to the Commerce Department that it will continue to apply Privacy Shield principles to any applicable information it received while it was a participant or will delete or return the data. Once the proposed settlement runs in the Federal Register, you’ll have 30 days to file a public comment.
The case suggests four compliance tips for other companies.
Keep your Privacy Shield statements up to date. Make sure your express or implied statements about Privacy Shield are based in fact and reflect the current status of your participation. You can check the Commerce Department’s list of active and inactive participants to see whether your self-certification is current. You should also pay close attention to communications from the Commerce Department. They may contain important information about your self-certification.
If you choose to participate, honor the substantive provisions. The EU-U.S. Privacy Shield Principles and Supplemental Principles aren’t a la carte. They include detailed standards with which participants must fully comply. The Verification requirements and the need for “readily available independent recourse mechanisms” to deal with consumer complaints merit particular attention.
To stay Privacy Shield-compliant, complete a timely annual recertification. The FTC has brought close to 40 law enforcement actions against companies that allowed their certifications to lapse and yet continued to claim participation in Privacy Shield or similar programs. To keep your company on the right side of the law, add an annual reminder to your calendar and follow through with the steps the Commerce Department requires.
Withdrawing from Privacy Shield requires more than a good-bye. For companies that need to transfer covered data, the benefits of Privacy Shield are apparent. But if your company decides it no longer wishes to participate, leaving requires orderly steps and ongoing duties – including obligations regarding the covered data your company collected while it was a participant. Consult with the Commerce Department for more information about withdrawing from Privacy Shield.