On September 8, 2017, the Federal Trade Commission announced that it had settled charges against three companies for misleading consumers about their participation in the Privacy Shield framework. The FTC alleged that Decusoft, LLC, Tru Communication, Inc. and Md7, LLC violated the FTC Act by falsely claiming that they were certified to the EU-U.S. Privacy Shield, when in fact the three companies never completed the Privacy Shield certification process. In addition, Decusoft falsely claimed to be certified to the Swiss-U.S. Privacy Shield. This marks the first enforcement action brought by the FTC pursuant to the Privacy Shield.

As part of the settlements, the companies will be prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization. They also must comply with FTC reporting requirements.

According to Acting FTC Chairman Maureen K. Ohlhausen, “[t]oday’s actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce. . . .Companies that want to benefit from these agreements must keep their promises or we will hold them accountable.”