On August 21, the Federal Trade Commission approved a final consent order settling charges that SecurTest, Inc., a background screening company, falsely claimed to be in compliance with international privacy frameworks.
The EU-U.S. and Swiss-U.S. Privacy Shield frameworks establish standards for the transfer of consumer data from European Union countries and Switzerland to the United States in compliance with EU and Swiss law, respectively. The Privacy Shield program is administered by the International Trade Administration (“ITA”) within the U.S. Department of Commerce.
To join the Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the framework’s requirements. Once an organization makes the public commitment to comply with the framework, the commitment becomes enforceable by the FTC under U.S. law.
The FTC filed a complaint alleging that, although SecurTest initiated a Privacy Shield application with the U.S. Department of Commerce in September 2017, the company did not complete the steps necessary to be certified as compliant. According to the complaint, because SecurTest had failed to complete its certification, it was “not a certified participant in the frameworks, despite representations to the contrary on its website.”
Under the settlement, SecurTest is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. It also must comply with reporting and compliance requirements.
This action comes as part of a wave of FTC crackdown efforts against companies for falsely claiming participation in international privacy agreements. In separate actions, the FTC recently sent warning letters to more than a dozen companies for falsely claiming to participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively.
Because these Safe Harbor agreements are no longer in force, and the last valid self-certifications have expired, no company can accurately claim to participate in those frameworks. The FTC has called on these companies to remove from their websites references to privacy policies or any other public documents or statements claiming they participate in either of the Safe Harbor frameworks or face further FTC action.
In addition to international privacy frameworks, the FTC also continues to focus on privacy and data security more generally, including a number of notable enforcement actions against companies who allegedly failed to follow their own public privacy statements and policies. The FTC’s treatment of such actions as unfair, deceptive, or abusive practices (“UDAP”) under Section 5 of the FTC Act represents a significant area of privacy enforcement.