On December 3, 2019, the Federal Trade Commission announced that it had reached settlements in four separate Privacy Shield cases. Specifically, the FTC alleged that Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to participate in the EU-U.S. Privacy Shield framework. The FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework and that Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield after their Privacy Shield certifications lapsed. The complaints further alleged that Global Data and TDARX failed to comply with the Privacy Shield framework, including by failing to (1) verify annually that statements about their Privacy Shield practices were accurate, and (2) affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

As part of the proposed settlements, each of the companies is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. In addition, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information collected while participating in the program, or return or delete that information.

The EU-U.S. and Swiss-U.S. Privacy Shield frameworks allow companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, says “The Privacy Shield Framework is critical to facilitating transatlantic commerce and assuring our European partners of our commitment to data protection” and “Enforcement of the Privacy Shield framework is a priority of the FTC, and we will hold companies accountable where, as here, they fail to keep their Privacy Shield promises.” Since the frameworks were established in 2016, the FTC has brought a total of 21 enforcement actions related to the Privacy Shield.

A description of the consent agreement packages will be published in the Federal Register and subject to public comment for 30 days, after which the FTC will make a determination regarding whether to make the proposed consent orders final.