Privacy Shield – How to Keep the FTC from Knocking on Your Door

Given the rapid rise of the inter-connected, digitized global economy, where data is the new oil, the ability to readily transfer personal data is imperative in maintaining and enhancing strong transatlantic commercial ties. The U.S. Federal Trade Commission (FTC) has increased Privacy Shield enforcement, targeting companies whose privacy policies state that they participate in Privacy Shield although their certification has lapsed.  

T&M Resources LLC, a background investigations company based in New York with an online privacy policy that claimed they were compliant with the EU-U.S. Privacy Shield Framework, had not re-certified their compliance. The FTC charged the company for its failure to annually verify that its Privacy Shield practices were accurate, including its failure to assert that it would continue to apply the Privacy Shield protections to EU personal data. On March 23, 2020, the FTC announced its approved settlement with T&M. There have been a number of similar enforcement actions by the FTC this year.

To facilitate the transfer of personal data from the EU to the US, companies only have a few tools. The options are binding corporate rules, model/standard contractual clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. If a company decides to opt for the latter, to keep the FTC from knocking on their door, they must self-certify every year with the U.S. Department of Commerce. In addition, the company’s internal data practices must provide EU personal data a level of protection equivalent to that which it would receive in the EU under the General Data Protection Regulation (GDPR). The company must also strengthen its internal levels of privacy and data protection, and conduct an annual review of their privacy practices in order not to run afoul of the FTC, which does not take kindly to deceptive statements in online privacy policies. More information on Privacy Shield certification can be found at www.privacyshield.gov.

Companies that consistently fail to comply with Privacy Shield requirements are removed from the Privacy Shield list by the U.S. Department of Commerce and must return or delete the EU personal data they have received under the Privacy Shield Framework. Failure to do so sets the stage for the FTC to enforce civil penalties of up to $40,000 per violation. As T&M Resources recently discovered, the FTC certainly has the appetite to pursue companies who fail to take Privacy Shield compliance requirements seriously.