On September 8, 2017, the Federal Trade Commission (FTC) announced settlement of its first enforcement action involving the terms of the Privacy Shield. Three companies – Decusoft, LLC, Tru Communication, Inc., and Md7, LLC were alleged to have violated the Federal Trade Commission Act (FTC Act) by falsely claiming that they were certified to the EU-U.S. Privacy Shield. In fact, they had not completed the certification process required. One of the companies, Decusoft, falsely claimed not to be certified to the Swiss-U.S. Privacy Shield.

As part of their settlements with the FTC, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. Acting FTC Chair Maureen K. Ohlhausen stated that “[t]oday’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce… Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”

The EU-U.S. Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. Companies must self-certify that they meet the requirements of the Privacy Shield and that they transfer data in accordance with the Privacy Shield framework.

Achieved Compliance certified to the program in July.

Companies that join the Privacy Shield must be subject to the jurisdiction of the FTC or the U.S. Department of Transportation, and certify to the U.S. Department of Commerce that they comply with the Privacy Shield Principles. Section 5(a) of the FTC Act (15 USC §45) prohibits “unfair or deceptive acts or practices in or affecting commerce.”

The Department of Commerce maintains the list of companies that have joined the framework, while the FTC enforces the commitments companies make when joining the Privacy Shield.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.