Privacy & Information Security Law Blog

On June 14, 2019, the Federal Trade Commission announced that it has taken action against a number of companies that allegedly misrepresented their compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, the “Privacy Shield”) and other international privacy agreements.

SecurTest, Inc. (“SecurTest”) reached a settlement agreement with the FTC over allegations that it falsely claimed to participate in the Privacy Shield. As part of the proposed settlement, SecurTest, which has since completed the steps necessary to participate in the Privacy Shield, is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government, self-regulatory or standard-setting organization. The proposed settlement agreement will be published in the Federal Register and subject to public comment for 30 days, after which the FTC will make a determination regarding whether to make the proposed consent order final.

The FTC also reported that it sent warning letters to 13 companies for claiming to participate in the U.S.-EU and U.S.-Swiss Safe Harbor frameworks and to two companies for falsely claiming to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (the “APEC CBPR”) system. The Safe Harbor frameworks, which were replaced by the Privacy Shield frameworks in 2016, are no longer in force and all self-certifications under the Safe Harbor agreements have expired.

The FTC requested that the 13 companies remove from their websites, privacy policies or public documents any statements claiming participation in either of the Safe Harbor frameworks, and requested that the two companies either (1) remove from their websites, privacy policies, or other public documents any statements that might be construed as claiming participation or involvement in the APEC CBPR system or (2) prove that they had undergone the requisite review and certification.