Privacy & Cybersecurity Law Blog

On January 16, 2020, the Federal Trade Commission announced that settlements with five companies of separate allegations that they had falsely claimed certification under the EU-U.S. Privacy Shield framework had been finalized.

The FTC had alleged, in separate actions, that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc., had made false claims on their websites that they were certified under the EU-U.S. Privacy Shield. In the case of LotaData, the FTC also alleged that the company had falsely claimed certified participation in the Swiss-U.S. Privacy Shield framework.

The EU-U.S. and Swiss-U.S. Privacy Shield frameworks allow companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S.

Lastly, the FTC had alleged that EmpiriStat, Inc., (1) falsely claimed current participation in the EU-U.S. Privacy Shield after its certification had lapsed; (2) failed to verify annually that its statements related to its Privacy Shield practices were accurate; and (3) failed to affirm it would continue to apply Privacy Shield protections to personal information it collected while participating in the framework.

Per the settlements, each of the five companies is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework or any other privacy or data security program sponsored by the government or any self-regulatory or standard-setting body. EmpiriStat is further required to apply Privacy Shield protections to the personal information it collected while participating in the program, or return or delete that information.

The FTC had announced its issuance of proposed administrative complaints and consent agreements in these matters on September 3, 2019. After receiving no comments on the agreements, the FTC voted 5-0 to approve these settlements.