Three U.S. companies have entered into consent agreements with the Federal Trade Commission (FTC) for allegedly misrepresenting their participation in the European Union-United States Privacy Shield framework. These are the FTC’s first actions to enforce the EU-US Privacy Shield framework that was put in place in 2016 to replace the US-EU Safe Harbor framework.

The EU-US Privacy Shield framework provides a mechanism for U.S. companies to transfer personal data outside the European Union (EU) that is consistent with the 1995 EU Directive on Data Protection.  The Directive sets forth EU requirements for privacy and the protection of personal data and, among other things, prohibits the transfer of personal data outside the EU unless the European Commission has made a determination that the recipient jurisdiction’s laws ensure the protection of such personal data.

To satisfy this adequacy standard, the Department of Commerce and the European Commission negotiated the EU-US Privacy Shield framework, which went into effect in July 2016. The Swiss-US Privacy Shield framework is identical to the EU-US Privacy Shield framework, which went into effect in April 2017, and is consistent with the requirements of the Swiss Federal Act on Data Protection.

To join the EU-Privacy Shield framework, a company must self-certify to the Department of Commerce that it complies with the EU-US or Swiss-US Privacy Shield Principles. The Department of Commerce maintains a public website where it posts the names of companies that have self-certified to the EU-US and/or Swiss-US Privacy Shield framework.

  • The action against Md7, LLC, a Delaware company that assists members of the wireless industry with real estate-related issues, alleges that Md7 falsely represented that it participated in the EU-US Privacy Shield framework when it initiated an application with the Department of Commerce, but had not completed the steps necessary to participate in the framework.
  • The action against True Communication Inc., d/b/a, a California corporation that provides printing services, involves identical allegations to the Md7 complaint, despite the language in’s privacy policy, which stated it would “remain compliant and current with Privacy Shield at all times.”
  • The action  against Decusoft, LLC, a New Jersey company that develops software for human resources applications is identical to the others, also references its alleged failure to complete the Swiss-US Privacy Shield application process.

Each of the settlements prohibits the respondents from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization. The FTC’s actions are an important reminder that it is crucial for companies to ensure that their privacy policies are accurate. The settlements are open for public comment until October 10, 2017.