Three U.S. companies have agreed to settle Federal Trade Commission charges that they misled consumers about their participation in the European Union-United States Privacy Shield framework, which allows companies to transfer consumer data from EU member states to the United States in compliance with EU law.
In separate complaints, the FTC alleges that human resources software company Decusoft, LLC, printing services company Tru Communication, Inc. (doing business as TCPrinting.net), and Md7, LLC, which manages real estate leases for wireless companies, violated the FTC Act by falsely claiming that they were certified to participate in the EU-US Privacy Shield. The FTC also alleged that Decusoft falsely claimed participation in the Swiss-U.S. Privacy Shield framework. Despite these claims, all three companies failed to complete the certification process for the Privacy Shield, according to the FTC complaints.
“Today’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce,” said Acting FTC Chairman Maureen K. Ohlhausen. “Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”
The actions against the three companies are the first cases the FTC has brought to enforce the EU-U.S. Privacy Shield framework, which was put in place in 2016 to replace the U.S.-EU Safe Harbor framework. The FTC brought 39 enforcement actions against companies under the U.S.-EU Safe Harbor framework. Like the Safe Harbor, the Privacy Shield is aimed at providing companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring consumer data between the EU and the United States. These cases join the four enforcement actions the FTC has brought related to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
Companies that want to join the Privacy Shield must be subject to the jurisdiction of the FTC or the U.S. Department of Transportation, and certify to the U.S. Department of Commerce that they comply with the Privacy Shield Principles. The Department of Commerce maintains the list of companies that have joined the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.
As part of their settlements with the FTC, the three companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements.
The Commission voted 2-0 to issue the administrative complaints and to accept the consent agreements with the three companies. The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through October 10, 2017, after which the Commission will decide whether to make the proposed consent orders final. Interested parties can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section for Decusoft, LLC, Tru Communication, Inc., and Md7, LLC.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $40,654.