The Federal Trade Commission’s (FTC) recently announced settlement with background check provider SecurTest, Inc. shows the agency remains vigilant regarding businesses’ claims that they comply with the EU-U.S. Privacy Shield Framework (Privacy Shield). Privacy Shield provides U.S. businesses with a legally recognized mechanism for receiving personal data in the United States from the EU. In its complaint against SecurTest, the FTC alleges that for several months SecurTest falsely claimed on its website that it complied with Privacy Shield when in fact it had not self-certified its Privacy Shield compliance with the U.S. Department of Commerce. The terms of the FTC’s decision and order prohibit SecurTest from misrepresenting its Privacy Shield compliance status and require it to submit to compliance monitoring and recordkeeping requirements.
Along with announcing its settlement with SecurTest, the FTC noted that, rather than beginning enforcement proceedings, it has issued a number of warning letters to businesses over similar alleged inaccurate statements about compliance with cross-border privacy and data security transfer programs like Privacy Shield:
- Thirteen letters were issued to businesses whose privacy policies allegedly claim to comply with the EU-U.S. and Swiss-U.S. Safe Harbor Frameworks, even though those frameworks were invalidated by the European Court of Justice in 2015; and
- Two letters were issued to businesses that have allegedly misrepresented that they participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) program.
The recipients of these warning letters were not named in the FTC’s press release.
Comment:
The FTC’s settlement with SecurTest continues an established FTC trend of employing its enforcement authority to monitor businesses’ compliance with Privacy Shield and similar cross-border data security provisions. The issuance of warning letters due to alleged misrepresentations of compliance with CBPR or obsolete references to compliance with the invalidated EU-U.S. Safe Harbor suggests that the agency may be open to using flexible methods and guidance tools in privacy and data security enforcement. Regardless, it remains important for businesses that handle personal information to regularly review and update their privacy policies and other public claims about privacy and data security on an ongoing basis to ensure their accuracy and avoid potentially costly investigative and enforcement proceedings.