As if having to deal with all the EU's Data Protection Authorities wasn't challenge enough for companies trying to comply with GDPR, the FTC has now asserted that it has a role in GDPR enforcement. In particular, the FTC says it has a role in making sure that US companies live up to the GDPR-related promises that they make. This position came to fruition in a proposed FTC settlement with California-based employment training company, ReadyTech Corporation. Here's FTC's take on the matter:

Privacy Shield gives companies a way to transfer personal data from the EU to the United States, consistent with EU data protection requirements. To participate in Privacy Shield (or the corresponding Swiss-U.S. Framework), companies must apply to the U.S. Department of Commerce and follow the program's self-certification requirements. Participation is voluntary, but a company's representations about Privacy Shield compliance must be true.

Here's what ReadyTech said in its Privacy Policy:

  • "ReadyTech is in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries."

But according to the FTC, although ReadyTech began the Privacy Shield application process in October 2016, it didn't follow through with the necessary steps. Thus, the FTC alleged that ReadyTech's statement in its Privacy Policy was false or misleading.

To settle the case, the company has agreed not to misrepresent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group, or a standard-setting organization. The FTC is accepting comments about the proposed settlement until August 1, 2018.

What does the case mean for your company?

Deceptive claims about Privacy Shield participation are actionable under the FTC Act. Like any other objective representation, companies must have a reasonable basis to support what they say about Privacy Shield. If a business says it complies with the framework, that must be true. If it says it's "in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework," it must be actively taking the steps necessary to complete the process. Your company doesn't have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.

Be the in-house Privacy Shield hero. If your company claims to participate in Privacy Shield, but you haven't finished the process or your certification has lapsed, you have two choices:
1) complete the process; or 2) remove the false statement. To earn Privacy Shield props from your company, implement a simple system to keep your Privacy Shield self-certification current. The Commerce Department's list of active Privacy Shield participants includes the date by which you must submit your annual self-certification. Mark it on your calendar so you can recertify on time.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.