Privacy and Data Security

For the fourth time, the Federal Trade Commission (FTC) has reached a consent agreement with a company for alleged misrepresentations regarding Privacy Shield certification. A California-based company, ReadyTech Corporation, agreed to a settlement whereby it is “prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.” Privacy Shield is one of a few mechanisms that are available to U.S. companies for the lawful transfer of personal data from the European Union and Switzerland to the United States pursuant to applicable data protection laws including the new General Data Protection Regulation (GDPR). As part of the process, companies must self-certify with the Department of Commerce (DoC) and then annually re-certify that the company is Privacy Shield compliant.

As part of the self-certification process, an organization must update its privacy policy prior to the DoC’s review. The International Trade Administration (ITA) of the DoC, which administers the Privacy Shield program, must actually verify that a company has completed certain requirements before finalizing the organization’s self-certification or re-certification. One of these requirements is that the organization has “included in its privacy policy a statement that it adheres to the Privacy Shield Principles and, if the privacy policy is available online, a hyperlink to the Department’s Privacy Shield website.” By posting what is, for all intents and purposes, a promise to consumers, an organization is running straight into the FTC’s Section 5 powers to investigate possible “unfair or deceptive acts or practices” in commerce—the power under which the FTC has nudged many best practices related to consumer data privacy and information security in the United States.

Like its three predecessors, all of which reached a consent order with the FTC because of misrepresentations related to Privacy Shield in their privacy policy, ReadyTech Corporation is alleged to have falsely claimed on its website that it was in the process of certifying that it was compliant with Privacy Shield Framework. The FTC’s press release specified that “[w]hile ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield framework.”

There are a couple of important facts to consider regarding the timeline of this action. While it is only the fourth enforcement action of its kind, and the first since September 8, 2017, the action more importantly comes only a little more than a month after GDPR went into effect on May 25th. It also comes only two months after the FTC’s empty commissioner seats were finally filled by President Trump, and new chairman Joseph Simons was sworn in. Being that the Privacy Shield framework is one of the few mechanisms whereby companies may lawfully engage in international data transfer under the GDPR, and many organizations scrambled to update their privacy policies prior to May 25th, the FTC may be giving a prudent warning that it will be investigating misrepresentations as to Privacy Shield certification and compliance in the near future.