The Federal Trade Commission fined US companies that violated EU-US Privacy Shield provisions
The EU-US Privacy Shield is designed to transfer personal data of European citizens to US companies in compliance with the GDPR. US companies commit themselves to comply with the required data protection principles and guarantee the rights of data subjects. The Federal Trade Commission (FTC) is responsible to verify compliance with the EU-US Privacy Shield.
The Privacy Shield has affected five American companies accused by the FTC of unfair business practices under the EU-US Privacy Shield:
The FTC accused the companies DCR Workforce, Inc., Thru, Inc., LotaData, Inc. and 214 Technologies, Inc. of falsely claiming that they were certified under the EU-US Privacy Shield and pretending they were complying with the requirements. The FTC also accused EmpiriStat, Inc. of continuing to claim to be a current participant in the EU-US Privacy Shield, even though it had lost its certification. It also failed to perform annual verifications that its privacy practices comply with the EU-US Privacy Shield requirements.
After the FTC had five separate actions against the companies, they have now reached a settlement. The settlement prohibits the companies from “misrepresenting their participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.”
The settlements show that the FTC protects compliance with the EU-US Privacy Shield and supports other US companies that comply with the requirements. Consumers should also be protected and warned against false claims by companies regarding their privacy practices. There is ongoing critique that the Privacy Shield could not be considered sufficient regarding the requirements set by GDPR and European Court of Justice. The Settlements show that the FTC is actually punishing offenders (even though it’s not clear if audits are conducted properly, which helps to argue in favor of the Privacy Shield. Still, companies should be aware that changes to international data transfers might be necessary in the future).
Your Contact: Dr. Matthias Lachenmann, Data Protection Officer (UDIScert), Phone: +49 (0) 221 270 956 260; E-Mail: firstname.lastname@example.org