Failure to Certify: Companies That Falsely Claim They Are Privacy Shield Certified or Let Their Certification Lapse Face Enforcement Action.

By: Nicole Kardell

Does your company’s privacy policy include a claim that it is Privacy-Shield certified? If so, you should ensure that it is, in fact, certified and that the certification has not lapsed. Failures in this area are low-hanging fruit for government enforcement actions.  

A little background on the Privacy Shield Framework. 

The U.S. Privacy Shield framework facilitates the legal transfer of consumer data from the E.U. to the U.S. (note there is a separate, but similar, framework for transfers from Switzerland to the U.S.). It is a useful tool for companies that must deal with GDPR and that regularly transfer data from Europe (more specifically, the European Economic Area) to the U.S. Instead of needing to develop special corporate rules for European authorities’ approval or addressing data transfers on a contract-by-contract basis, companies can work through the Privacy Shield certification process and more neatly fold their certification into their E.U.-U.S. data transfer arrangements. 

The U.S. Department of Commerce, which oversees the certification process, maintains a website that outlines the process for certification: https://www.privacyshield.gov/welcome. The website can help answer the general questions on what to do to become certified, what you can and cannot claim in public statements, and when you can make claims as to certification. It is also the portal through which companies self-certify and notify Commerce of their certification. The website as well as the process is reasonably straightforward. Nonetheless, many companies face pitfalls, which can lead to a government enforcement action.  

U.S. enforcement of Privacy Shield Certification. 

The Federal Trade Commission, which is charged with enforcing compliance with the U.S. Privacy Shield framework under Section 5 of the FTC Act, is regularly pursuing companies for falsely claiming they are Privacy Shield certified. Issues that companies face include: (1) prematurely publishing certification claims before the process is finalized, (2) failing to meet the Privacy Shield requirements, and (3) failing to recertify annually.  

Here are some recent examples of FTC enforcement actions: 

• Current: An enforcement action is pending before the FTC against NTT Global Data Centers Americas, Inc. (f/k/a RagingWire Data Centers, Inc.); the FTC alleges the company misled consumers about its participation in the EU-U.S. Privacy Shield framework and failed to adhere to the program’s requirements before allowing its certification to lapse. 
• March 30, 2020: The FTC announced a settlement with Ortho-Clinical Diagnostics, Inc., settling allegations that the company claimed Privacy Shield certification after it let its certification lapse in 2018. 

• January 16, 2020: The FTC announced settlements with five companies—DCR Workforce, Inc., Thru, Inc., LotaData, Inc., 214 Technologies, Inc., and EmpiriStat, Inc.—settling allegations that the companies falsely claimed certification or allowed their certification to lapse.  
• December 3, 2019: The FTC announced settlements with four companies—Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, TDARX, Inc.—settling allegations that the companies falsely claimed participation in the Privacy Shield framework, including allegations that two of the companies failed to comply with Privacy Shield requirements and two of the companies allowed their certifications to lapse. 

Take-aways on companies at risk of an enforcement action. 

At the risk of sounding overly-critical, these issues that have generated enforcement actions can, and should, be avoided. As mentioned earlier, the Department of Commerce’s Privacy Shield website is pretty straightforward. And Privacy Shield requirements are outlined there in plain, user-friendly, language. 

What is most troubling is when companies fail to fix certifications issues even after receiving a notice from the government. For instance, in the FTC announcement regarding Ortho-Clinical Diagnostics, the press statement notes that the Department of Commerce warned the company that its certification had lapsed and that it needed to recertify. But the company failed to do so. Failing to heed an agency’s notice is, frankly, mystifying.  

Here are some pointers to avoid the easily-avoidable pitfalls: 

• Review carefully the Department of Commerce’s Privacy Shield website to note the requirements. Create a list and check it off as you complete each requirement. Make sure all are completed!  
• Create an annual tickler to remind you to confirm compliance and to recertify. That tickler alert should come well in advance of recertification so that you can research any changes in requirements or any changes in your company’s policies and practices. 
• Do NOT claim you are Privacy Shield certified in your privacy policy until you actually are. Some companies develop their Privacy Shield-based policy and publish it before they finalize the process. This is premature and can be problematic. 
• Make sure you are tracking and filing communications with the Department of Commerce. And make sure the person in your company responsible for these communications is, in fact, responsible and responsive. Update the contact person if that person leaves the company or changes jobs within the company. Make a note of your company’s log in information so you can access your organization’s information quickly. 

• Consider walking through the process with counsel who should be able to efficiently guide the process, for instance, in how and when to address certification in your public-facing statements. Counsel can also remind you of the annual re-certification. 

In sum… 

The Privacy Shield framework is a useful tool and certification is reasonably straightforward. The companies that have come under fire with the FTC shouldn’t have. And now they face bad press and credibility issues with their business partners. We highly recommend companies interested in Privacy Shield certification do their homework and involve the right people in the certification and renewal process.