On September 8, 2017, the US Federal Trade Commission (FTC) announced that three US companies have reached a settlement regarding charges that the companies misled consumers in connection with their participation in the EU-US Privacy Shield (Privacy Shield). The Privacy Shield (which replaced the US-EU Safe Harbor framework in 2016) is a legal framework that allows companies to transfer consumer data between EU member states and the United States while remaining in compliance with EU law. According to the FTC, all three companies failed to complete the certification process for the Privacy Shield. Additionally, the FTC believed that one company falsely claimed to participate in the Swiss-US Privacy Shield framework. As part of their settlements with the FTC, these companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and must comply with FTC reporting requirements.
To join the Privacy Shield a company must agree to be subject to the jurisdiction of the FTC or the US Department of Transportation, and certify to the US Department of Commerce (DOC) that it complies with the “Privacy Shield Principles.” The DOC maintains the list of companies that have joined the Privacy Shield and the FTC enforces their compliance.
In these first cases the FTC has brought to enforce the Privacy Shield framework, the FTC voted 2–0 to issue administrative complaints and to accept consent agreements with the three companies. The consent agreements will be subject to public comment for 30 days, after which the FTC will decide whether to make the proposed consent orders final. An administrative complaint is issued when the FTC has “reason to believe” that the law has been or is being violated and the FTC believes that a proceeding is in the public interest. When the FTC issues a consent order on a final basis, it carries the force of law with respect to future actions and each violation may result in a civil penalty of up to $40,654.