Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.
This last point was a particular concern for both the EU the US Department of Commerce when the program was put in place was the possibility of companies saying that they participated in the program when, in fact, they did not. Illustrating enforcement efforts in this area, in July, the FTC brought action against ReadyTech an online training company, for saying that “it was in the process of certifying” compliance with the program when in fact, although the application was filed with the Department of Commerce, the company did not take the remaining steps needed to participate. The settlement with ReadyTech was finalized in October. In four similar cases, the FTC alleged that IDmission, mResource, SmartStart Employment Screening, and VenPath also each stated incorrectly that they were certified under the program. IDmission, however, like ReadyTech, had started but not completed the certification process. mResource, SmartStart and VenPath had been certified previously, but their certifications had lapsed.
Putting it Into Practice: The EU will be reviewing Privacy Shield’s sufficiency again at the end of 2019. In anticipation of this review, we expect to see ongoing enforcement from the FTC, in particular for companies whose policies state they are participating in the program when they have not been certified, or their certifications have lapsed.