Five companies accused of falsely claiming that they were certified under the EU–U.S. Privacy Shield framework have settled with the Federal Trade Commission (FTC).
The Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with the European Union Directive on Data Protection.
In separate actions, the FTC alleged that DCR Workforce, Inc., EmpiriStat, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. all fallaciously stated on their websites that they were certified under the framework when in fact their certification had either lapsed or never been ratified.
According to the FTC, management software provider DCR Workforce obtained Privacy Shield certification in January 2017 but continued to claim its participation in the framework even after that certification lapsed in February 2018.
EmpiriStat did slightly better. The company obtained Privacy Shield certification in February 2017 and actually initiated an application for re-certification in January 2018. However, the FTC alleged that the statistical analysis and support services provider failed to complete all the steps necessary to gain re-certification from the Department of Commerce.
Facial-recognition software provider 214 Technologies, cloud-based file-transfer software provider Thru, and LotaData, which provides analyses of mobile users’ data, are all alleged to have claimed participation in the framework despite having neglected to complete their applications for certification.
LotaData is possibly the worst offender, with the FTC alleging that the company also falsely claimed that it was a certified participant in the Swiss–U.S. Privacy Shield framework, which establishes a data-transfer process similar to the EU–U.S. Privacy Shield framework.
“These companies made false claims about complying with Privacy Shield, and today’s settlements show that the FTC is protecting Privacy Shield’s integrity and supporting the thousands of U.S. businesses who do it right,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.
As part of the proposed settlements with the FTC, all five companies are prohibited from misrepresenting the extent to which they participate in any privacy or data-security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program or return or delete the information.