FTC Takes Action against Companies Falsely Claiming Compliance with the EU-U.S. Privacy Shield, Other International Privacy Agreements
The Federal Trade Commission reached a settlement with a background screening company over allegations it falsely claimed to be a participant in the EU-U.S. Privacy Shield program. In separate actions, the FTC also sent warning letters to more than a dozen companies for falsely claiming participation in other international privacy agreements.
In its complaint, the FTC alleges that SecurTest, Inc., falsely claimed on its website that it participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which establish processes to allow companies to transfer consumer data from European Union countries and Switzerland to the United States in compliance with EU and Swiss law, respectively.
While the company initiated a Privacy Shield application in September 2017 with the U.S. Department of Commerce, SecurTest did not complete the steps necessary to be certified as complying with the frameworks. By failing to complete certification, SecurTest was not a certified participant in the frameworks, despite representations to the contrary on its website. The Department of Commerce administers both frameworks, while the FTC enforces the promises companies make when joining those programs.
As part of its proposed settlement with the FTC, SecurTest is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.
FTC Warns Other Companies
The FTC also sent warning letters to 13 companies that falsely claimed they participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively. These Safe Harbor agreements are no longer in force, and the last valid self-certifications for either agreement have expired.
The FTC called on the 13 companies to remove from their websites, privacy policies, or any other public documents any statements claiming they participate in either Safe Harbor agreement. If the companies fail to take action within 30 days, the FTC warned it would take appropriate legal action.