A Reminder from the FTC: Making False Statements about Privacy Shield has Consequences
May 20, 2020 by Cobun Keegan
The U.S. Federal Trade Commission has always taken very seriously any company’s statement about certification, membership, or participation in recognized privacy and security programs. For example, the Commission has cracked down on numerous companies over the years for making incorrect statements about their participation in APEC-CBPR and the Safe Harbor Frameworks. Privacy Shield is no different. Whether you have yet to complete the full self-certification process, are awaiting renewal after a lapse, or have withdrawn from Shield, you must be careful not to make false statements about your participation in the Frameworks. This week, four more companies found this out to their detriment.
Meanwhile, mResource allowed its Privacy Shield participation to lapse and failed to complete the necessary steps to renew with the Department of Commerce, but continued to claim that it was self-certified. Both SmartStart Employment Screening and VenPath also lapsed and held themselves out as self-certified. Even more seriously, these two companies failed to complete the mandatory withdrawal questionnaire, leaving previously collected personal data in legal limbo.
What should you do as a Privacy Shield participant to avoid FTC action?
How do you avoid accidentally falling out of compliance with Privacy Shield?
- Make sure that you update both the Department of Commerce and BBB EUPS (or your IRM) about any changes to your designated contact for purposes of Privacy Shield complaints and renewals.
- Renew your annual Privacy Shield self-certification on time. As a participant in BBB EUPS, we will remind you in a timely fashion, but we can’t ensure your timely renewal without your active participation in the process.
- If you are a BBB EUPS participant and you run into difficulties with the recertification process, please let us know. We’re here to help!
If you choose to withdraw from Privacy Shield—whether because you no longer transfer personal data from the EU to the U.S. or because your company is involved in a merger or acquisition—it is critical that you follow proper procedures.
In addition, you must return the mandatory withdrawal questionnaire to the Department of Commerce, affirming your ongoing commitment to handle data previously transferred under the Privacy Shield mechanism in a manner consistent with the Privacy Shield Principles.