The Federal Trade Commission (“FTC”) announced settlements on September 27, 2018 with four companies that the FTC alleged falsely claimed to be EU-U.S. Privacy Shield certified. These settlements with IDmission, LLC, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. – in conjunction with another settlement in July and three others in November 2017 – bring the FTC’s total publicly announced Privacy Shield enforcement actions to eight.
All four of the companies’ websites or privacy policies represented that they participated in the EU-U.S. Privacy Shield program when, according to the FTC, they had never been certified or their certification had lapsed. One company, IDmission, applied for but never completed the steps necessary for Privacy Shield certification, and the other three companies obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. Additionally, the FTC contended that SmartStart and VenPath failed to protect personal information collected during their participation in the Privacy Shield program once they were no longer certified.
The proposed settlements prohibit each company “from misrepresenting the extent to which they participate in any privacy or data security program” and require recordkeeping and compliance monitoring. Two of the companies, VenPath and SmartStart, must (1) continue to apply all EU-U.S. Privacy Shield protections to the information collected while they participated in the program; (2) protect it by another equivalent means (e.g., binding corporate rules or the Standard Contractual Clauses); or (3) return or delete the personal data within ten days of the FTC’s order.
Reminders for Companies Applying for or Certified under the Privacy Shield
These settlements are a reminder that:
- Companies that aren’t yet Privacy Shield-certified or whose certifications have expired should refrain from creating a false impression that they are certified; and
- Companies that are certified but then withdraw from the program retain obligations to protect the personal data collected while participating in the framework consistent with Privacy Shield requirements – or delete such data.
Privacy Shield’s Future
This FTC enforcement comes at a time when the future of the Privacy Shield is uncertain. In July 2018, the European Parliament issued a non-binding resolution urging the European Commission to suspend the Privacy Shield unless the U.S. complies with EU data protection rules by September 1, 2018. On August 30, 2018, the Department of Commerce issued a response to that resolution. Although the European Commission has not suspended Privacy Shield, the Commission is expected to release its second annual review on Privacy Shield’s adequacy in mid-October 2018. The first annual review was released on October 18, 2017.