The Federal Trade Commission recently entered into settlement agreements with four companies regarding claims that the companies misrepresented their compliance with the EU-U.S. Privacy Shield Framework. Each company indicated on its website that it actively participated in the EU-U.S. Privacy Shield. The FTC found such statements misleading as at least one company failed to complete the initial certification process and three others allowed their certifications to lapse without completing the annual re-certification requirements. The FTC also noted that two of the companies failed to meet EU-U.S. Privacy Shield requirements when they stopped participating in the program and failed to affirm to the U.S. Department of Commerce that they would continue to apply Privacy Shield protections to personal information collected while such entities were participants in the program.
What Should I Do?
To avoid FTC misrepresentation claims regarding your organization’s EU-U.S. Privacy Shield participation, be sure to:
Successfully complete all steps in the initial certification process.
Monitor annual re-certification deadlines and re-certify on a timely basis.
Affirm to the U.S. Department of Commerce that you will continue to honor the EU-U.S. Privacy Shield Principles as it relates to personal information you collected during your participation in the program should you decide to forgo further participation in the program.