On June 30, 2020, the Federal Trade Commission (“FTC”) announced it had entered into a consent agreement (the “Proposed Settlement”) with NTT Global Data Centers Americas, Inc. (“NTT”), a successor in interest to RagingWire Data Centers, Inc. (“RagingWire”), to settle allegations in a November 2019 Administrative Complaint that RagingWire misrepresented its participation in and compliance with the EU-U.S. Privacy Shield Framework (“Privacy Shield”), in violation of the FTC Act.
Specifically, the FTC alleged that RagingWire represented that from at least January 2017 to October 2018, it was a current participant in the Privacy Shield, whereas its certification had lapsed from at least January 2018 until approximately June 2019. In addition, the FTC alleged that RagingWire failed to (1) verify its Privacy Shield assertions, (2) comply with the Privacy Shield requirement that it maintain an independent recourse mechanism for the period of approximately October 2017 to June 2018, and (3) comply with continuing obligations under the Privacy Shield.
Notably, the Proposed Settlement provides that for as long as NTT participates in the Privacy Shield, it shall obtain an annual outside compliance review from an independent third-party assessor regarding its Privacy Shield assertions and practices. The independent assessor must be approved by the Associate Director for the Division of Enforcement of the Bureau of Consumer Protection at the FTC. The review is to demonstrate that NTT’s assertions about its Privacy Shield practices are true and that those practices have been implemented as represented and in accordance with the Privacy Shield Principles. The third-party assessor must make its signed statement verifying the review available to the FTC upon request. NTT is further ordered not to misrepresent compliance with or participation in privacy programs, to meet continuing Privacy Shield obligations and to comply with report and notice, recordkeeping and monitoring requirements.
In voting to accept the proposed settlement, the FTC Commissioners’ majority statement noted, “This order is, in fact, more protective of the Privacy Shield Principles than the 14 orders this Commission . . . has approved in prior Privacy Shield cases. Specifically, it requires Respondent to obtain third-party assessments for as long as it participates in Privacy Shield.”
Public comments on the consent agreement must be received by the FTC on or before August 10, 2020.