For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.
There are a couple of important facts to consider regarding the timeline of this action. While it is only the fourth enforcement action of its kind, and the first since September 8, 2017, the action more importantly comes only a little more than a month after GDPR went into effect on May 25th. It also comes only two months after the FTC’s empty commissioner seats were finally filled by President Trump, and new chairman Joseph Simons was sworn in. Being that the Privacy Shield framework is one of the few mechanisms whereby companies may lawfully engage in international data transfer under the GDPR, and many organizations scrambled to update their privacy policies prior to May 25th, the FTC may be giving a prudent warning that it will be investigating misrepresentations as to Privacy Shield certification and compliance in the near future.