US regulator clamps down on alleged false claims of Privacy Shield certification

The regulator said it had reached a settlement with three US companies over allegations that they broke the law by falsely claiming to be certified under the scheme. All the businesses had allegedly begun the process of applying for Privacy Shield certification but "didn’t complete the necessary steps", the FTC said.

The Privacy Shield allows the transfer of personal data between the EU and US businesses which self-certify their compliance with a set of privacy principles that make up part of the framework. A list of businesses certified under the Privacy Shield is published and maintained by the US Department of Commerce. The FTC plays a regulatory role in overseeing compliance.

"[Our] actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce," said acting FTC chairman Maureen Ohlhausen. "Companies that want to benefit from these agreements must keep their promises or we will hold them accountable."

Under the terms of their respective settlements, human resources software company Decusoft, printing services company Tru Communication, and Md7, which manages real estate leases for wireless companies, are "prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organisation", the regulator said.

The FTC said there were lessons for other US businesses to learn from the cases.

"Frameworks like Privacy Shield help American businesses remain competitive while protecting consumers’ data, but only if companies take their certification responsibilities seriously," it said. "The programs are voluntary, but like any other express or implied representation a company makes, claims about participation have to be truthful."

"If you apply to participate in Privacy Shield, follow through. If you apply but then decide not to participate, don’t tout your compliance in your privacy policy or elsewhere on your website. Furthermore, if the Department of Commerce contacts your company about a deficient or incomplete application, it’s wise to heed the warning by completing the self-certification process in a timely manner or by removing any false statement regarding participation in the Privacy Shield framework."

The first annual review into the Privacy Shield by EU and US officials is set to begin next week. Earlier this year an EU data protection watchdog said it could issue its own report into the framework following the conclusion of the first annual review into the framework, despite the fact it will be given a chance to feed comments into an official post-review report by the European Commission.

The Commission has deemed that data transfers handled in accordance with the Privacy Shield principles will adhere to EU data protection law requirements. However, the framework has drawn criticism from data protection authorities in the EU and privacy campaigners, and is the subject of two separate legal challenges.