The Federal Trade Commission sent an important message to companies participating in the EU-U.S. Privacy Shield when earlier this year, the agency announced that settlements had been finalized with five companies regarding separate allegations that they had falsely claimed certification under the framework.

The EU-U.S. and Swiss-U.S. Privacy Shield frameworks make it possible for companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S. (In compliance with the EU – GDPR – General Data Protection Regulation).

The FTC announcement can be found here.

In individual actions the FTC had alleged that:

  • DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc., each falsely represented on their websites that they were certified under the EU-U.S. Privacy Shield. In the case of LotaData, the FTC also alleged that the company had falsely claimed certified participation in the Swiss-U.S. Privacy Shield framework.
  • EmpiriStat, Inc., (1) falsely claimed that it participated in the EU-U.S. Privacy Shield after its certification had lapsed; (2) failed to verify that statements it made with respect to its Privacy Shield practices were accurate; and (3) failed to affirm it would continue to apply Privacy Shield protections to personal information it collected while participating in the framework.

The settlements prohibit each of the five companies from misrepresenting their participation in the EU-U.S. Privacy Shield framework or any other privacy or data security program – whether sponsored by the government, a self-regulatory body or a standard-setting body. It imposes further requirements on EmpiriStat to apply Privacy Shield protections to the personal information it collected while participating in the program or return or delete that information.

In these settlements, the FTC sends a strong message that companies participating in the Privacy Shield framework must stay current with requirements and monitor that their assertions about data practices and participation in the program are accurate.

Achieved Compliance can help you understand and carry out the steps necessary to confidently apply for certification, comply and reap the benefits of the U.S. Privacy Shield program.

As the US FTC and the EU step up enforcement of GDPR, Achieved Compliance has the tools and team to guide you through a review and remediation process.  Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

ACS PrivacyMinder® software platform.

Achieved Compliance demystifies and simplifies data protection compliance.  Our PrivacyMinder® software provides busy business professionals with an efficient, step-by-step, streamlined process to establish the foundations of data protection compliance.  Basic Compliance can be completed in 2 days. Using PrivacyMinder®, you’ll generate data maps and gap analysis reports necessary to establish compliance in over 50 company departments.  Our solutions come with clear guidance and do not over-complicate basic tasks.  PrivacyMinder® achieves results and minimizes the learning curve.

Data Protection Impact Assessment (DPIA)

Utilizing the output from PrivacyMinder®, Achieved Compliance can guide you through the required a structured DPIA, quickly.  The analysis required by the GDPR differs from this established approach by shifting the focus from risk to the organization to risk to the individual.  It requires companies to ask – does the processing of personal data raise risks to the individual’s rights and freedoms as defined by the GDPR?

I invite you to attend a Webinar covering the US Privacy Shield, DPIA and a demo of our Privacy Minder Platform.

Achieved Compliance discussed Privacy Shield issues in earlier blogs.