First enforcement actions against non-compliant Privacy Shield participants

The US Federal Trade Commission (FTC) announced on 8 September that three US companies have agreed to settle FTC charges on misleading consumers about participation in the EU-US Privacy Shield.

The companies in question, human resources software company Decusoft, LLC; printing services company Tru Communication Inc. (doing business as; and Md7, LLC, which manages real estate leases for wireless companies, had violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield. In fact, all three companies failed to complete the certification process for the Privacy Shield.

“Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce,” said Acting FTC Chairman Maureen K. Ohlhausen. “Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements.

The US Department of Commerce maintains the list of companies that have joined the framework, while the FTC enforces the promises companies make when joining the Privacy Shield. The EU Data Protection Authorities are due to issue this autumn their assessment of how the agreement is working in practice. One of questions that have been raised during the previous Safe Harbor arrangement is enforcement.

Read more about the current status of the Privacy Shield agreement in the next issue of Privacy Laws & Business International Report.